On Jan 3, 2008 12:48 AM, Christoph Cordes <[EMAIL PROTECTED]> wrote:
> Let's leave the technical part out, since this is not a technical
> issue as it seems. Tomasz did not deny anything, he just said that
> this are minor issues. I fully understand that your ego gets pushed
> by seeing your nick in a post on FD and you simply can't cope with
> opinions that differ that much from yours. Somehow i suspect this is
> something personal, not technical.
Yes, I'm evil, I'm mean, I need ego boosts by posting on FD. You
totally caught me.
> > Or is your denial simply the result of the personal hurt because all
> > types of security groups pwn teh shit out of ClamAV? Better be happy
> > that at least somebody audits your code, or take the next step:
> > rigorously audit the code by yourself.
>
> Oh wait - if you talk about security groups i hope you don't think
> this includes you?! Security groups are usually not interested in
> "pwning the shit out of something" - that's what kids do.
"pwning the shit" is merely the ironic exaggeration of the bad
security record of ClamAV in the last 2 to 3 years.
> The
> security groups we worked together till now usually have a clue about
> responsible disclosure and things like that. If you really would give
> a sh*t about security and/or if you would believe that the
> "vulnerabilities" you found are that severe, you would follow the
> common guidelines of disclosure. But hey, it's not about security, is
> it?
Responsible disclosure is just one opinion about how vulnerabilities
should be published, and I don't share this opinion, nor do I want to
be forced into such a process. In fact, too often so-called
"responsible" disclosure has been used to either sweep issues under
the rug or to abuse and/or sue security researchers.
BTW, I never claimed that the issues that we found are severe (I find
the severity scores incl. their subscores in CVE-2007-659{5,6} to
match pretty well). At least I don't deny that there's a bunch of
locally exploitable vulnerabilities in ClamAV, and if I had access to
the SVN repository, I would commit the (trivial) fixes to it, instead
of asserting that the described vulnerabilities aren't a problem
without fully understanding the implications of symlink races (the
flamebait subject says it all).
> Thanks for reporting the bugs.
You meant vulnerabilities.
Regards,
Rofl as in Lek
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
