Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-Disclosure] Re: The Cult of a Cardinal Number

From: Phantasmal Phantasmagoria (phantasmalhush.ai)
Date: Thu Mar 04 2004 - 01:27:54 CST

Hash: SHA1

>A cc of this email to securityproftpd.org would have been
>if you felt the need not to give any prior warning to the team so
>problematic versions could be removed from the ftp archives and/or
> Mark Lowes
>Mark Lowes <hamsterproftpd.org>

Certainly, this is a reasonable request. But it has to be said that I
the distinct impression that the 'team' was already aware of the
problems surrounding xlate_ascii_write(), and were merely inclined to

ignore the (perhaps) insignificant percentage of the ProFTPD user base

that had not yet updated to 1.2.9. My justification lies in the resolution

of Bug#2200 which included the clean up of xlate_ascii_write() that saw

these overflows fixed. Castaglia writes in revision 1.69's log message:

"Bug#2200 - Correct segfaults with xlate_ascii_write on IRIX. Some of

the last of the remainding code (whose I understood only partially, such

as the session.xfer.buf++ increment) is now removed, as well as a
potentially dangerous NUL-termination statement."

This leaves me with two possible scenarios. Firstly, castaglia reads

Jesse Sipprell's bug report and without fully understanding the problem

commits the provided patch. Or secondly, castaglia reads Jesse
Sipprell's bug report and realises the possible ramifications of the

highlighted issues, deciding to silently patch them under the guise of

'IRIX segfaults' rather than endure the publicity of yet another
exploitable buffer overflow in his pet project (just days after the ISS


There may be arguments for both accounts, but lets give castaglia
some credit. He knows what he's doing, and I believe that he knew
exactly what the issues meant. Would you mark code as "potentially
dangerous" yet not investigate the matter further to find the complete

implications it may have on your user base? Would anyone?

Phantasmal Phantasmagoria

Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3


Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger

Promote security and make money with the Hushmail Affiliate Program:

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html