Re: Re: Goals for Etch?
Steve Kemp <steve <at> shellcode.org>
2005-06-17 18:38:02 GMT
On Fri, Jun 17, 2005 at 01:20:14AM +0200, Ulf Harnhammar wrote:
> On Tue, Jun 14, 2005 at 10:30:13PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
> > - we would like to do a security review of all the base packages before
> > etch (at least two people should look into them)
> > - we would like to do a security review of a significant percentage of
> > extra/optional packages before etch
> > - we would like to provide a useful and complete document for all DDs (that
> > might be included in the NM process) that describes how to do a security
> > audit of their source packages and find the "low hanging fruit" with a mix
> > of automatic tools and some sensible questions.
This actually seems like the most challenging, and potentially useful
idea. If enough maintainers became interested in looking at their
own packages it would decrease the need for us to bother.
> They all sound great. Here are some types of bugs that the document could
> * format string bugs with syslog(something, something2)
> * fscanf(fp, "%s", buf)
> * setting HOME to a 16 kB long value and see if things blow up
> * strncat(buf2, buf, sizeof(buf2))
> * /tmp bugs