I have discovered a small problem in a well deployed Unix utility. It is (just) possible that this problem has some security related issues.
This code, by the way, is probably in every single deployed Unix system.
What should I do now?
- Comment
- Reblog
-
Subscribe
Subscribed
Already have a WordPress.com account? Log in now.
code monk 
2008-10-06 at 15:00:32
Email the author about it. Maybe discuss it quietly with trusted knowledgable friends first to make sure it really is a problem.
2008-10-06 at 16:14:24
The authors have bang paths for their e-mail addresses. Well, not all of them, but most of them. And it’s an amusing thing to mention.
2008-10-06 at 16:22:57
bugtraq?
2008-10-06 at 20:16:41
Get people you know to verify the problem on other systems. Then BugTraq.
2008-10-07 at 00:13:05
I’m curious: is it the same code on a GNU/Linux system?
Also, assuming this is the thing which you mentioned earlier: do you have test data which causes that path to be executed? Do you have test data which can cause a failure on a real system?
2008-10-07 at 08:08:29
Some more background. The problem involves a certain code path which when executed results in undefined behaviour. Now it so happens that this undefined behaviour is in practice always harmless, but that’s only by luck. If the memory layouts should shift, then it could be worse.
@NickB: I have yet to look at the code on GNU/Linux.
The naughty code path is invoked on practically every invocation of the utility.
I cannot yet cause it to fail on a real system.
2008-10-12 at 02:58:07
If you can’t find who to tell, then just blog it. ‘Better out than in’ as my granddad used to say.