..on Wed, Feb 20, 2013 at 06:17:16PM +0200, Maxim Kammerer wrote: > On Wed, Feb 20, 2013 at 5:49 PM, micah anderson <mi...@riseup.net> wrote: > > Developers never made a mistake leading to a security problem, so > > Debian's one mistake in 2006 should be forever trotted out as an example > > of how Debian sucks, good point. > > I once needed to patch HTPdate [1], and immediately noticed two > possibilities for buffer overflows. Immediately, because they are > obvious to anyone who knows C — in line 243: > > if ( recv(server_s, buffer, BUFFERSIZE, 0) != -1 ) { > > does not ensure NUL-termination of received input, and in lines 264–265: > > if ( (pdate = strstr(buffer, "Date: ")) != NULL ) { > strncpy(remote_time, pdate + 11, 24); > > necessary size of buffer after "Date: " is not ensured. > > I have sent a patch to the author of HTPdate, and he wrote back that a > “Debian security administrator” already went over the code with him > line-by-line. > > So, for the record, there are at least *two* examples why Debian sucks > security-wise. > > [1] http://www.vervest.org/foswiki/bin/view/HTP/DownloadC
Did you file a bug? It doesn't look like you did. You should do it. http://www.debian.org/Bugs/ Filing a bug is a standard procedure which is the fastest and most responsible means of getting a patch in and escalated in Debian GNU/Linux. For all you know the author of HTpdate may not be telling the truth, that s/he didn't contact any 'Debian security administrator' - I've never heard of such a role. Debian packages have /maintainers/ not administrators. You ought to file a bug so it reaches the package maintainer. Frankly, you will always find exceptions to what is other wise a highly regarded distribution, highly regarded enough for 70% or so of all other distributions to use it as a base. A great many security conscious organisations run their internet-facing servers on Debian GNU/Linux (Stable). More so, BackTrack is based on Debian, a distribution used by countless data forensics people, pen-testers and security auditors world wide. It's fairly widely trusted in the field. Cheers, -- Julian Oliver http://julianoliver.com http://criticalengineering.org -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech