On Mon, Jun 28, 2004 at 05:54:29PM +0200, Ulf H?rnhammar wrote:
> For one thing, I have found lots of code with potential format
> string bugs (syslog(LOG_MAIL, blah); or fprintf(stderr, blah); or whatever),
> which turned out to be sloppy programming and no security hole, because the
> user never got to control the value of blah. Automatic auditing is helpful,
> both for people who can't and people who can do manual auditing, but it's far
> from replacing it.
Definately agreed. It's always the case that you have to read back
over the code that has been identified by these tools to see what's
going on.
I think the point was more to see suspicious things rather than
anything else.
Steve
--Received on Tue Jun 29 2004 - 09:36:30 BST