I totally agree, but I think after you pointed out 4(a), all the other
issues cited simply makes further discussion pedantic.
-gc
Paul Kosinski wrote:
> 0. The tone of the original posting, especially the subject line,
> is quite unprofessional.
>
> 1. The race condition seems easy enough to fi
0. The tone of the original posting, especially the subject line,
is quite unprofessional.
1. The race condition seems easy enough to fix by using O_EXCL. But
then it should retry with a new generated file name a bunch of times,
rather than simply giving up. (Giving up is especially bad for clamd
On Thu, 3 Jan 2008 11:11:45 +0100
"Roflek of TK53" <[EMAIL PROTECTED]> wrote:
[snip]
> Since you are German, you obviously have no idea about irony.
IMHO, this thread has proceed to the point when Godwin's law is going
to be implemented. Perhaps, it might best be put to rest. The parties
involve
On Jan 3, 2008 3:14 AM, Christoph Cordes <[EMAIL PROTECTED]> wrote:
> Don't try to bend my words in a way you can make use of them. I did
> not say you're evil or mean. All i said is that your ego gets pushed
> by seeing your nick on the FD list. That's not even selfish and for
> sure not evil or m
Am 03.01.2008 um 01:20 schrieb Roflek of TK53:
> On Jan 3, 2008 12:48 AM, Christoph Cordes <[EMAIL PROTECTED]> wrote:
>> Let's leave the technical part out, since this is not a technical
>> issue as it seems. Tomasz did not deny anything, he just said that
>> this are minor issues. I fully unders
On Jan 3, 2008 12:48 AM, Christoph Cordes <[EMAIL PROTECTED]> wrote:
> Let's leave the technical part out, since this is not a technical
> issue as it seems. Tomasz did not deny anything, he just said that
> this are minor issues. I fully understand that your ego gets pushed
> by seeing your nick i
Am 03.01.2008 um 00:22 schrieb Roflek of TK53:
> On Jan 2, 2008 11:31 PM, Tomasz Kojm <[EMAIL PROTECTED]> wrote:
>> I don't negate your points about O_EXCL etc. I don't negate the
>> thesis in
>> the subject either :-) What I really negate is the FUD you're
>> making with your
>> disclosures,
On Jan 2, 2008 11:31 PM, Tomasz Kojm <[EMAIL PROTECTED]> wrote:
> I don't negate your points about O_EXCL etc. I don't negate the thesis in
> the subject either :-) What I really negate is the FUD you're making with your
> disclosures, some technical details, and the general pointless of making
> a
> Dear Rofl and Lol as in Lek,
>
> since you didn't bother to contact us before posting full
> disclosure we didn't have a chance for a technical discussion.
>
> I don't negate your points about O_EXCL etc. I don't negate
> the thesis in the subject either :-) What I really negate is
> the FUD
On Wed, 2 Jan 2008 22:08:45 +0100
"Roflek of TK53" <[EMAIL PROTECTED]> wrote:
> Simply generating very long filenames doesn't protect you from race
> conditions and symlink attacks. Well, from a practical, naive point of
> view that only considers what is easy to observe, it is. But since
> securi
James Kosin wrote:
> But, it makes it extremely unlikely to occur; which is not what the
> reporter suggests.
Howver, an atomic create-or-fail operation would eliminate all the
danger for sure and also reduce the need for such an... erm...
ornate filename-generation algorithm. (And using O_NOFOL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Roflek of TK53 wrote:
> Hello everyone,
>> "1) ClamAV uses own functions to create temporary files. One such
routine is
>> vulnerable to a race condition attack."
>>
>> The analysis is incorrect. The author mistakenly assumed that name_salt is
>> fixe
Hello everyone,
> "1) ClamAV uses own functions to create temporary files. One such routine is
> vulnerable to a race condition attack."
>
> The analysis is incorrect. The author mistakenly assumed that name_salt is
> fixed and this is not true. After each call to cli_gentemp() name_salt gets
> upd
13 matches
Mail list logo
