Mailinglist Archive: opensuse (1470 mails)

< Previous Next >
Re: [opensuse] Now what? Glibc bug, vulnerability
On 02/17/2016 02:50 AM, Marcus Meissner wrote:
Updates are being prepared and will likely be published today.

Really, this raises a couple of questions"

1. It was introduced in 2008. How come?
Did not-one review the code change and see the buffer overflow
back then?

2. It wasn't detected until now. How come?
Has no-one reviewed the code since then?

Its not as if this is a rarely used piece of code in an application used
by only a few people to add eye-candy to a desktop! This is core
Internet handling code!

<quote>
To the surprise of the Google researchers, they soon learned that glibc
maintainers had been alerted to the vulnerability last July.
</quote>

and later

<quote>
It remains unclear why or how glibc maintainers allowed a bug of this
magnitude to be introduced into their code, remain undiscovered for
seven years, and then go unfixed for seven months following its report.
By Google's account, the bug was independently uncovered by at least two
and possibly three separate groups who all worked to have it fixed. It
wouldn't be surprising if over the years the vulnerability was uncovered
by additional people and possibly exploited against unsuspecting targets.
</quote>

And only *NOW* is it considered to be a serious issue and hurry up and
fix it.

What was that about woodpeckers ...
Ah yes, Gerry Weinberg attributed with the quote in: Murali Chemuturi
(2010) Mastering Software Quality Assurance: Best Practices, Tools and
Technique for Software Developers. p. ix

This
http://cafbit.com/entry/reinventing_software_for_security
attributes many of the problems we have with 'memory' wrt secuyrity to
the use of C and C++.



--
A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting frowned upon?

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >