Re: Package descriptions/ITPs [Was: Bug#148319: ITP: unreal-ircd]
This one time, at band camp, Brian May wrote:
>On Tue, 2002-05-28 at 19:53, Andrew Suffield wrote:
>> In general I would suggest that people should avoid making any
>> comments about stability/quality in package descriptions; try to keep
>> them objective and opinion-free, please.
>
>Maybe the software has been specifically designed from the ground up to
>be secure?
>
>Maybe it does not use C or C++ and buffer overruns are impossible?
>
>Maybe it does not create temporary files, so those exploits are
>impossible?
>
>(seems to be the most common 2 reasons for security holes lately).
In this particular case, "no" on all counts.
>> [1] All software has security holes. Without exception.
>
>Really? *All* Software?
>
>Spot the security holes:
>
>--- CUT ---
>#include <stdio.h>
>
>int main() {
> printf("Hello World\n");
> return(0);
>}
Your libc has been trojaned and printf runs a root shell.
--
jaq@spacepants.org http://spacepants.org/jaq.gpg
A journey of a thousand sites begins with a single click.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: