Mailinglist Archive: opensuse (1470 mails)

< Previous Next >
Re: [opensuse] Now what? Glibc bug, vulnerability
On 02/17/2016 08:16 AM, Anton Aylward wrote:
On 02/17/2016 10:16 AM, Bernhard Voelker wrote:

the asnwer is easy:
I did not have a look at the code, and I guess you haven't either
... and the same applies to the rest of the world.

So much for Raymond's proposition that "given enough eyeballs, all bugs
are shallow"!

But you haven't answered a few parts of that quesation.

This is old code that was revised and the revision broke it. It worked
before, why was it changed to something that was broken?

Buffer overflow is one of the classic programming bugs. We have
scanners that search code for it.

Next up: if this was found so long ago why is it only now that it is
being fixed?

I suggest this is the wrong forum to post those questions.
I doubt any of us here could answer them, and its even less likely anyone
associated with opensuse was responsible.

Many bugs are introduced in fixes, but until or unless the bug causes
wrong results its unlikely to be detected.

Just how good are these scanners? I've used these scanners in the past
and the output was overwhelming. In one scanner that I used, unless EACH
reference to a particular buffer operation was range-tested, it would
spew hundreds of warnings that had to be checked manually.

It invariably turned out that the programmer had indeed range tested
the pointers, a dozen lines previously, in straight line code, and
to add injury to insult, actually inserting the recommend range checks
(dozens of them) would increase the size of the code dramatically,
while reducing the speed significantly.

If the tools are as good as you suggest, wouldn't that be something
a novice could run against source code as their contribution to
opensource?






--
After all is said and done, more is said than done.
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >