From owner-cvs-all  Sat Nov 25 19: 1:54 2000
Delivered-To: cvs-all@freebsd.org
Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20])
	by hub.freebsd.org (Postfix) with ESMTP
	id 02A1537B4CF; Sat, 25 Nov 2000 19:01:47 -0800 (PST)
Received: (from bright@localhost)
	by fw.wintelcom.net (8.10.0/8.10.0) id eAQ31k110949;
	Sat, 25 Nov 2000 19:01:46 -0800 (PST)
Date: Sat, 25 Nov 2000 19:01:46 -0800
From: Alfred Perlstein <bright@wintelcom.net>
To: "Brian F. Feldman" <green@FreeBSD.org>
Cc: obrien@FreeBSD.org, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/usr.sbin/inetd builtins.c
Message-ID: <20001125190146.Q8051@fw.wintelcom.net>
References: <obrien@FreeBSD.org> <200011260209.eAQ29N572833@green.dyndns.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200011260209.eAQ29N572833@green.dyndns.org>; from green@FreeBSD.org on Sat, Nov 25, 2000 at 09:09:23PM -0500
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

* Brian F. Feldman <green@FreeBSD.org> [001125 18:09] wrote:
> "David O'Brien" <obrien@FreeBSD.org> wrote:
> > On Sat, Nov 25, 2000 at 09:15:21AM -0500, Brian F. Feldman wrote:
> > > > What's going on here?  And why was it MFC'd already?
> > > 
> > > It can expose up to 16 bytes of wheel-readable data.  That's bad!
> > 
> > That's not such a bad vulnerability that you shouldn't have waited at
> > least 1-2 days for this to sit in -CURRENT to give people a chance to
> > comment.
> 
> I don't think I did something wrong.  I am not saying this to be 
> argumentative.  I honestly believe if there's any type of security problem 
> and the fix 1) doesn't break anything and 2) is simple enough, there isn't 
> any inherent problem with initiating a fix in both branches.  I know it 
> doesn't break anything because I've tested it (also for the degenerative 
> cases).
> 
> Where's the harm done by committing a fix, even were it incomplete, when it 
> doesn't make the problem any worse?  I'm honestly very curious what reasons 
> people would have not to want something done as soon as feasible.  Fear that 
> people may update and assume the problem is completely fixed?

Because your "fix" was a gross hack on top of the gross hack already
in place.

Security concerns should be discussed with the security officer so
that he can contact us with a background in such matters about 
fixing it.

-- 
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message