Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in

From: Rod Taylor <rbt(at)zort(dot)ca>
To: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
Cc: Justin Clift <justin(at)postgresql(dot)org>, Robert Treat <xzilla(at)users(dot)sourceforge(dot)net>, Neil Conway <neilc(at)samurai(dot)com>, Gavin Sherry <swm(at)linuxworld(dot)com(dot)au>, Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in
Date: 2002-08-21 17:30:04
Message-ID: 1029951006.35003.15.camel@jester
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Wed, 2002-08-21 at 13:13, Bruce Momjian wrote:
> Justin Clift wrote:
> > Bruce Momjian wrote:
> > >
> > > Justin Clift wrote:
> > > > Only two things which have the potential to be worth waiting for, from
> > > > what I'm aware of. There may be others:
> > > >
> > > > - Find out from Sir Mordred if he wants to take a look at the CVS
> > > > version of code and audit in that for a bit, Just In Case he turns
> > > > up something that's serious and requires substantial re-work.
> > > > Although it means he wouldn't have a bunch of "I found this existing
> > > > exploit" type releases, we could instead offer him credit on the
> > > > press release along the lines of "This released has been audited for
> > > > security flaws in its code by Sir Mordred". Am pretty sure he'd
> > > > do a very thorough job for that, as it means he'd have an official
> > > > "product reputation" he'd need to stand by for it.
> > >
> > > This is interesting. He would have a month to do it.
> >
> > Reckon it's worth asking him, to find out if he'd be interested in this?
>
>
> I wouldn't do it yet until we know if we are going to delay.

I'd ask anyway. 99% of the issues he finds will be fairly localized.
Anything truly new (not on TODO already) will probably require a fair
bit of time to track down, then fix time on top (2 months delay?).

Anyway, these types of discoveries are better in beta than after the
release and would still warrent a mention if there is a fair amount of
ground covered.

Personally, I'd be more interested in whats safe (covered) than whats
broken. Posting the successful test cases as some proof rowards
stability / security of the new release would realize immediate gains in
settling nervous VPs about the new installation.

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Bruce Momjian 2002-08-21 17:30:45 Re: CVS broken - large file support?
Previous Message Bruce Momjian 2002-08-21 17:29:57 Re: @(#)Mordred Labs advisory 0x0004: Multiple buffer overflows