Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAA7hUgGRshZPyRuAcTbVg5cE6_m7h1CUFDa8jOpEpRRqt+aRJA@mail.gmail.com>
Date: Mon, 17 Nov 2014 13:48:39 +0100
From: Raphael Geissert <geissert@...ian.org>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Re: Fuzzing findings (and maybe CVE requests) -
 Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less

On 17 November 2014 13:33, Hanno Böck <hanno@...eck.de> wrote:
[...]
> What should we do with that?
> a) is it an unappropriate use of less to view untrusted files and we
> should teach users so? (I seriously never would've thought of that - and
> which average "just learned how to use the shell" user would've?)
> b) tell linux distros that lesspipe is insecure and shouldn't be
> enabled?
> c) fuzz all the tools in there and report at least the
> low-hanging-fruit-bugs? (and then maybe try to replace the
> "they-don't-fix-bugs-or-don't-have-a-dev-any-more"-tools with more
> secure ones)

d) acknowledge the fact that most tools were not "designed for
security" and that we should talk about mitigation. It's about risk
analysis.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.