Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAOMtMF3Uqxaidt+p=Sq+PYKS9k6x_2wCU+YxobJ3REJgUSM2WQ@mail.gmail.com>
Date: Sun, 23 Nov 2014 15:19:36 +0100
From: Bernhard Hermann <bernhard.hermann@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: so, can we do something about lesspipe? (+ a cpio
 bug to back up the argument)

I agree to both of you and to me it is an important issue. I don't want to
be infected with malware while checking whether a file is malware :-( or my
distro doing something in the background that I'm not even aware of.

Unfortunately I don't feel like I'm up to the task. But I would be very
glad if others (you two seem very qualified to me) would tackle these
problems.

If money can help with this I'd be willing to throw in a few dozen currency
units to support this cause. (I hope that doesn't reduce intrinsic
motivation?)

br,
BH
 On 23 Nov 2014 10:52, "Hanno Böck" <hanno@...eck.de> wrote:

> On Sun, 23 Nov 2014 01:24:11 -0800
> Michal Zalewski <lcamtuf@...edump.cx> wrote:
>
> > WDYT?
>
> lesspipe is a tough one.
>
> First of all let me remind that I recently found an out of bounds
> access in less's unicode decoding itself. Upstream is not responsing
> atm. It's only a read error, but it was not even fuzzing, it was an
> accidental finding, I'd expect that further analysis might yield to
> more.
>
>
> Now lesspipe: I didn't know that this thing exists until very
> recently but I was aware that less did some kind of parsing and e.g. I
> quite liked the idea that you can "less" gz/bzip2 files.
>
> Actually leaving security asside I quite like the idea of lesspipe, so
> I'm reluctant to say "lesspipe scripts have gotta die / be disabled".
>
> That said the alternative is a tough one. It would be something
> like this:
> * Fuzz all the things in lesspipe
> * Report what you find
> * Kill the tools that have unsatisfying upstream reactions and replace
>   them with more secure ones.
> And even after doing this this probably wouldn't count as a high
> security solution.
>
> I'm aware this feels like a huge effort, but actually it fits very
> well in the project I'm about to start anyway. And lesspipe gives a good
> starting point to what tools might deserve some more fuzzing.
>
> cu,
> --
> Hanno Böck
> http://hboeck.de/
>
> mail/jabber: hanno@...eck.de
> GPG: BBB51E42
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.