Quoting Max Vozeler <max_at_hinterhof.net>:
> > That's an interesting idea! I don't think we're quite ready to let the
> > machines do all auditing by themselves (do Flawfinder or RATS obey
> > Asimov's laws of robotics?).
>
> I obviously meant not _completely_ automated.
sub discuss_bug_with_maintainer() probably requires full AI, so it might be hard
to write..
> > bugs (syslog(LOG_MAIL, blah); or fprintf(stderr, blah); or whatever),
>
> One could argue that these are still bugs with security implications.
> Some versions later, a sleepy developer may not remember the subtleness
> and add an otherwise unsuspecting debugging statement that makes the
> content controllable.
That's true. Another interesting special case is when you find a buffer overflow
or a format string bug, but it comes from data controlled by root and not by
normal users. I guess you could see that as a kind of crash bug which should be
fixed but which isn't a real security hole. I just found one of those in
sysklogd (boast, boast):
http://lists.infodrom.org/infodrom-sysklogd/2004/0019.html
Drawing the line between security problems and bugs can be hard. You also have
the special case where you find a bug but it requires so many things (defined
symbols, command line options and so on) that it feels a bit stupid to treat it
like a serious security threat.
-- Ulf Harnhammar http://www.advogato.org/person/metaur/Received on Thu Jul 22 2004 - 23:30:20 BST