Language Selection

English French German Italian Portuguese Spanish

Insecurity blues: What I learned from my buggy code

Filed under
Software

It hasn't been a good month for my code. Samba, the project I'm responsible for, has had to announce several security flaws. Unfortunately some of them were in code I wrote. I always do a large amount of soul-searching whenever that happens. There's nothing worse than finding out something you were responsible for is the cause of many thousands of people having to waste their time rolling out patches. It always makes me wonder if the time has come to give up this programming lark and end my days peacefully in management, messing up other people's code instead of creating my own.

It's very educational however to look at the causes of the flaws, and try and learn what we can from the bugs and also our reactions to them. Samba is an old program. The initial code was originally written 15 years ago. At that time, modern security problems such as integer wrap (where adding two numbers together can end up with a number smaller than both of them, due to the fixed sizes of integers that processors deal with), or heap overflow vulnerabilities (where overwriting unallocated memory on the program heap can allow a clever attacker to seize control of a program) were unheard of. We knew about buffer overruns (where reading more data into a buffer than was originally allocated for it can cause a security breach) and denial of service attacks, but 1992 was a simpler, less hostile time for network software development. Most initial deployments of Samba were on networks isolated from the main Internet, by technically advanced administrators who knew how to download the source code from the Internet.

More here




More in Tux Machines

GNOME/Unity in Ubuntu

today's howtos

Leftovers: Software (Subsurface, GRUB, GIMP, and Todo.txt)

  • Announcing Subsurface 4.6.4
    The Subsurface development team proudly announces the release 4.6.4 of Subsurface, an open source dive log and dive planning program for Windows, Mac and Linux.
  • Subsurface 4.6.4 Open-Source Dive Log and Planning Tool Adds Many Improvements
    The development team behind the Subsurface open-source dive log and dive planning application was proud to announce the immediate availability for download of the Subsurface 4.6.4 release. Subsurface 4.6.4 is the latest stable version of the popular program developed by Linus Torvalds in collaboration with other developers, and adds a great number of improvements over previous builds. These include a new planner mode to calculate minimum gas, better handling of notes when replanning dives, as well as support for the border width setting in printing templates.
  • GRUB 2.02 Bootloader Officially Released with ZFS LZ4 & LVM RAID1 Support, More
    The long-anticipated GRUB 2.02 open-source bootloader software project was finally promoted to the stable channel after being in Beta stages of development for the past few years. The development team took their time to finalize the release of GRUB 2.02, which should soon make its way into the stable software repositories of your favorite operating system, but it's finally here and we want to thank them for all their hard work and the awesome new features and improvements implemented so far.
  • [New] GIMP review
    GIMP (short for GNU Image Manipulation Program) is a free alternative to Photoshop that more than holds its own. But don't think that the lack of a price tag means GIMP is lacking in features; it packs enough punch to genuinely rival Adobe's imaging behemoth. GIMP comes with impressive selection and montage features, various ways to retouch your images, cropping, noise reduction and colour adjustment tools, customisable brushes, gradients and so much more. There's plenty for the more advanced user, too, including layer masks, bezier curves, filters and even an animation package.
  • Todo.txt – A Nifty ToDo Indicator Applet for Ubuntu
    Todo.txt is an extremely simple indicator applet that lets you quickly tick off the tasks contained in your todo.txt file. It lives in the system tray and has options: Edit todo.txt, Clear completed, and refresh. Ultimately, its job is to help you edit your todo.txt file and mark tasks as completed without needing to open a full-fledged text editing application.

Red Hat News