[Dailydave] Interesting (?) bug
Rhys Kidd
rhyskidd at gmail.com
Wed May 30 03:52:11 EDT 2007
On 29/05/07, Chris Anley <chris at ngssoftware.com> wrote:
>
>
> In fact, it appears to have been 'revealed' by the fix to this issue in
> 2005. So I guess maybe I just reviewed vpnd at a propitious time? Then
> again, 2 years is a while, right?
>
> Cheers,
>
> -chris.
>
>
Apple really haven't managed to lever the value in open source secure code
review. I remember their "Open Directory" aka. OpenLDAP was woefully
out-of-date with upstream for a number of years. Best example was the
assert( 0 ) bug that had been fixed approximately 1.5 years previously in
OpenLDAP.
I'm sure if some one on this list had a spare week, and simply compared the
version from Apple OpenSource and the most up-to-date public release they're
be a few easy to spot bugs to garner a claim to fame. I hope Apple's recent
hires in Security Engineering can turn the ship around.
Rhys
BTW: To anyone else who has reviewed the OpenLDAP code, did it also strike
you as source code that was hard to follow with their formatting, and likely
to contain a few more DoS bugs due to liberal use of assert()'s in
non-debug?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070530/05bc1a6d/attachment.htm
More information about the Dailydave
mailing list