Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in

Dann Corbit wrote:
> [...]
>
> What I am saying is that there is nothing that could possibly be more
> important than fixing this, except some other known problem that could
> also cause billions of dollars worth of damage. Are there any such
> problems besides the buffer overrun problems?

And what others tried to tell you is, that there are different types of
systems and levels of vulnerability. A software that by nature needs to
be exposed to the internet (like an SMTP, HTTP or SSH server) is in high
danger and needs to be fixed immediately. But software that by nature
needs to be well protected from uncontrolled access (like a database, a
backup management system or a logical volume manager) does not.

The matter of the fact is, that if you grant someone access to your
database that gives him the power to execute the statement that triggers
this bug, you're lost anyway. Whatever constraints you have set up, an
empty database is usually very consistent but not neccessarily useful.

Jan

--

#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me. #
#================================================== JanWieck(at)Yahoo(dot)com #