> The answer, of course, is that it depends. ;-) Yeah.
> When it comes to buffer overflows, I think the best course of action > is to assume that an overflow error is always exploitable and just > fix it. If it's in managed code, and it's not a networked, multi-tasked code, it should still be fairly safe. "Don't do it, then" is often a sufficient remedy. OTOH, passport readers tend to be components of large, real-world systems and processes, and repeated failures in some circumstances might have interesting, exploitable side effects at a very high level. (Think about disabling a burglar alarm by repeatedly triggering false alarms.) And let's not forget the PR angle--someone has certified that the software does not contain such errors. Who knows what else they have missed. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
