Language Selection

English French German Italian Portuguese Spanish

Insecurity blues: What I learned from my buggy code

Filed under
Software

It hasn't been a good month for my code. Samba, the project I'm responsible for, has had to announce several security flaws. Unfortunately some of them were in code I wrote. I always do a large amount of soul-searching whenever that happens. There's nothing worse than finding out something you were responsible for is the cause of many thousands of people having to waste their time rolling out patches. It always makes me wonder if the time has come to give up this programming lark and end my days peacefully in management, messing up other people's code instead of creating my own.

It's very educational however to look at the causes of the flaws, and try and learn what we can from the bugs and also our reactions to them. Samba is an old program. The initial code was originally written 15 years ago. At that time, modern security problems such as integer wrap (where adding two numbers together can end up with a number smaller than both of them, due to the fixed sizes of integers that processors deal with), or heap overflow vulnerabilities (where overwriting unallocated memory on the program heap can allow a clever attacker to seize control of a program) were unheard of. We knew about buffer overruns (where reading more data into a buffer than was originally allocated for it can cause a security breach) and denial of service attacks, but 1992 was a simpler, less hostile time for network software development. Most initial deployments of Samba were on networks isolated from the main Internet, by technically advanced administrators who knew how to download the source code from the Internet.

More here




More in Tux Machines

Qt 5.11 released

  • Qt 5.11 released
    Slightly ahead of our planned schedule, we have released Qt 5.11 today. As always, Qt 5.11 comes with quite a few new features as well as many bug fixes to existing functionality. Let’s have a look at some of the cool new features.
  • Qt 5.11 Released With A Big Arsenal Of Updates
    The Qt Company has managed to release Qt 5.11 one week ahead of schedule compared to its original road-map, which is quite a feat considering some of the past Qt5 release delays. Beyond that, Qt 5.11.0 is offering a big slab of improvements.

Software: Discourse and More

  • Discourse – A Modern Forum for Community Discussion
    Discourse is a free, open source, modern, feature-rich and remarkable community-oriented forum software. It’s a powerful, reliable, and flexible platform that comes with a wide range of tools for community discussions. It is designed for building community discussion platforms, mailing list or chat room for your team, customers, fans, patrons, audience, users, advocates, supporters, or friends and most importantly, it seamlessly integrates with the rest of your established online platforms.
  • 4 Markdown-powered slide generators
    Imagine you've been tapped to give a presentation. As you're preparing your talk, you think, "I should whip up a few slides." Maybe you prefer the simplicity of plain text, or maybe you think software like LibreOffice Writer is overkill for what you need to do. Or perhaps you just want to embrace your inner geek. It's easy to turn files formatted with Markdown into attractive presentation slides. Here are four tools that can do help you do the job.
  • Faster Audio Decoding/Encoding Coming To Ogg & FLAC
    FLAC and Ogg now have faster audio encoding and decoding capabilities thanks to recent code improvements. Robert Kausch of the fre:ac audio converter project wrote in to inform us about recent changes he made to FLAC and Ogg for yielding faster performance. Kausch updated the CRC checks within FLAC and Ogg to a faster algorithm and those patches have now been accepted upstream.

Cooking With Linux and EzeeLinux Shows

Red Hat Leftovers

  • RPKG guide from Tito user
    Since the beginning of the rpkg project, it was known as a client tool for DistGit. Times changed and a new era for rpkg is here. It was enhanced with project management features, so we can safely label it as a tito alternative. A features review, pros and cons and user guide is a theme for a whole new article. In this short post, I, as a long-time tito user, want to show rpkg alternatives for the tito commands, that I frequently use.
  • All-Flash Platform-as-a-Service: Pure Storage and Red Hat OpenShift Reference Architecture
    Pure Storage® is excited to announce a reference architecture for Red Hat OpenShift Container Platform, using both Pure Storage FlashArray and FlashBlade™ to provide all the underlying storage requirements.
  • Red Hat OpenStack Platform 13 Delivers Long-Term Support
    The Red Hat OpenStack Platform 13 release was officially announced here on May 21, bringing along with it new features and expanded support for the open-source cloud platform. In a video interview with eWEEK, Mark McLoughlin, senior director of engineering for OpenStack at Red Hat, details what's new in the release and what is set to come in the next release. Red Hat OpenStack Platform 13 is based on the upstream OpenStack Queens release that first became generally available on Feb. 28. "The key thing for the OpenStack Platform 13 release is that it is a long life release," McLoughlin said.
  • Red Hat, Inc. (RHT) stock remained among YTD Quarterly with rise of 12.54%
  • 10 tasks for running containers on Atomic Host
    Unlike a virtual machine, which includes an entire operating system, a container is meant to hold only the software needed to run an application. Therefore, to run a container efficiently and securely, you need an operating system that provides secure container services and acts as a foundation for running containers. One operating system developed for that task is Atomic Host. Think of Atomic Host as a secure, specialized version of Fedora, CentOS, or Red Hat Enterprise Linux (RHEL). Its best use is to provide a reliable and easily upgradable operating system for running containers. Different formats of Atomic Host are available to run on anything from bare metal to a variety of cloud environments. With an Atomic Host system installed, you can use the docker command as you would on other container-enabled systems. However, Atomic Host also comes with an additional command called atomic, which expands what you can do with containers.