From owner-freebsd-audit  Fri Dec  8 16:17:25 2000
From owner-freebsd-audit@FreeBSD.ORG  Fri Dec  8 16:17:23 2000
Return-Path: <owner-freebsd-audit@FreeBSD.ORG>
Delivered-To: freebsd-audit@freebsd.org
Received: from rover.village.org (rover.village.org [204.144.255.66])
	by hub.freebsd.org (Postfix) with ESMTP id 0284A37B400
	for <freebsd-audit@FreeBSD.ORG>; Fri,  8 Dec 2000 16:17:21 -0800 (PST)
Received: from harmony.village.org (harmony.village.org [10.0.0.6])
	by rover.village.org (8.11.0/8.11.0) with ESMTP id eB90HJs53459;
	Fri, 8 Dec 2000 17:17:19 -0700 (MST)
	(envelope-from imp@harmony.village.org)
Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id RAA16499; Fri, 8 Dec 2000 17:17:19 -0700 (MST)
Message-Id: <200012090017.RAA16499@harmony.village.org>
To: Will Andrews <will@physics.purdue.edu>
Subject: Re: bitchx/ircd DNS overflow demonstration (fwd) 
Cc: Mike Silbersack <silby@silby.com>, freebsd-audit@FreeBSD.ORG
In-reply-to: Your message of "Fri, 08 Dec 2000 19:00:04 EST."
		<20001208190004.S572@puck.firepipe.net> 
References: <20001208190004.S572@puck.firepipe.net>  <Pine.BSF.4.21.0012080032150.22989-101000@achilles.silby.com> 
Date: Fri, 08 Dec 2000 17:17:18 -0700
From: Warner Losh <imp@village.org>
Sender: imp@harmony.village.org
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In message <20001208190004.S572@puck.firepipe.net> Will Andrews writes:
: On Fri, Dec 08, 2000 at 12:34:35AM -0600, Mike Silbersack wrote:
: > Since people appear to be on an auditing rampage, I thought I'd forward
: > this over to the list.  It describes some DNS parsing bugs in a few ircds
: > and BitchX that seem to have serious consequences.  It may be worth a look
: > into if programs in the base system have similar problems.
: 
: Err, this is out of the list's charter IMO.  We're only here to audit
: code in FreeBSD itself.
: 
: Anyone want to clarify the charter?  Actually, I don't see any charter
: anywhere..

When we created this list, we created it to coordinate a pass through
the tree making sure that the code was doing things properly.
Recently, people have been expanding its charter to include code
reviews to ensure that code going into the system will not have new
security holes (or old ones are identified).

It is squishy if this includes ports or not.  It isn't precluded, nor
is it included.

I'd say that we should go ahead and open it up on a provisional
manner.  One of four things will happen.
	1) Nothing.  No action needed.
	2) A small number of changes will come in and the load won't
	   be to bad.  People on the list can easily keep up with it
	   and do keep up with it.  No action needed.
	3) A huge number of changes and people keep up with it.  So
	   many changes come in that we need a new list.  Action:
	   audit-ports.
	4) No one cares enough to bother, in which case we degenerate
	   into #1 over time.

Warner


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message