Language Selection

English French German Italian Portuguese Spanish

Insecurity blues: What I learned from my buggy code

Filed under
Software

It hasn't been a good month for my code. Samba, the project I'm responsible for, has had to announce several security flaws. Unfortunately some of them were in code I wrote. I always do a large amount of soul-searching whenever that happens. There's nothing worse than finding out something you were responsible for is the cause of many thousands of people having to waste their time rolling out patches. It always makes me wonder if the time has come to give up this programming lark and end my days peacefully in management, messing up other people's code instead of creating my own.

It's very educational however to look at the causes of the flaws, and try and learn what we can from the bugs and also our reactions to them. Samba is an old program. The initial code was originally written 15 years ago. At that time, modern security problems such as integer wrap (where adding two numbers together can end up with a number smaller than both of them, due to the fixed sizes of integers that processors deal with), or heap overflow vulnerabilities (where overwriting unallocated memory on the program heap can allow a clever attacker to seize control of a program) were unheard of. We knew about buffer overruns (where reading more data into a buffer than was originally allocated for it can cause a security breach) and denial of service attacks, but 1992 was a simpler, less hostile time for network software development. Most initial deployments of Samba were on networks isolated from the main Internet, by technically advanced administrators who knew how to download the source code from the Internet.

More here




More in Tux Machines

OSS Leftovers

  • 20 Most Promising Open Source Solution Providers - 2017
    Open source has become an imperative part of every developer’s arsenal. The potential to gather assistance from the community and the capacity to link into a range of systems and solutions make open source incredibly powerful. As open source software becomes ubiquitous, and used by the vast majority of enterprises throughout the world, 2017 is all set for vendors of application delivery controller (ADC) to start providing improved and tighter integration packages for various open source projects, especially surrounding ADC-generated telemetry. Companies have been extensively using their analytics and machine learning capabilities for quite some time to identify actionable patterns from the collected data. With the rising demand for business intelligence, this year is foreseen to be the year of information superiority with businesses, leveraging data as a key differentiator. In the past couple of years, containers have been emerging as an imminent trend. As the business focus starkly shifts on rightsizing of resources, containers are expected to become a common phenomenon, giving businesses the ability to leverage highly portable assets and make the move into micro services much simpler. Adjacently, automation has become essential now. Mostly intensified by DevOps adoption, the automation of software delivery and infrastructure changes have freed developers to spend more time creating and less time worrying about infrastructure.
  • DevOps pros and open source: Culturally connected
    Like chocolate and peanut butter, DevOps and open source are two great tastes that taste great together. For many DevOps pros, it's the perfect cultural and technical match.
  • Interoperability: A Case For Open Source - GC@PCI Commentary
    He continues: “An open source model allows companies to see the assumptions behind the calculation and lowers the cost of entry into the cat modeling business. More importantly, the standardized and interoperable hazard, vulnerability and financial modules included in a true open source model facilitate the collaboration of data from insurers, reinsurers, entrepreneurs, scientists, computer programmers and individuals, all of which may result in a new generation of cat models.”
  • DevOps Skills Are Key to Collaboration within Organizations
    DevOps is one of the most highly sought skills employers are seeking to fill among 57 percent of respondents in the 2017 Open Source Jobs Report, from Dice and The Linux Foundation. Specifically, firms are looking for developers (73 percent) and DevOps engineers (60 percent).
  • Projects You Can Help With For Advancing Open-Source NVIDIA "Nouveau" Graphics
    Longtime Nouveau contributor Karol Herbst has been working on an updated list of project ideas for new contributors or those that may be wanting to participate in an Endless Vacation of Code / Google Summer of Code.
  • Join The Linux Foundation at Open Source Summit EU for Booth Swag, Project Updates, and More
    Going to Open Source Summit EU in Prague? While you’re there, be sure stop by The Linux Foundation training booth for fun giveaways and a chance to win one of three Raspberry Pi kits.
  • Oracle Promises To Open Source Oracle JDK And Improve Java EE
    Oracle had already announced it would be moving Java EE to the Eclipse Foundation, and the announcements at JavaOne move the language further to a more vendor-neutral future. It's worth noting that the keynote was preceded by a Safe Harbor disclaimer in which Oracle said it could not be held to plans made during the speech, so nothing is actually certain.
  • Linux Kernel Community Enforcement Statement
  • Linux Kernel Gets An "Enforcement Statement" To Deal With Copyright Trolls
    Greg Kroah-Hartman on the behalf of the Linux Foundation Technical Advisory Board has today announced the Linux Kernel Community Enforcement Statement. This statement is designed to better fend off copyright trolls. Among the copyright troll concerns is how a Netfilter developer has been trying to enforce his personal copyright claims against companies for "in secret and for large sums of money by threatening or engaging in litigation."
  • An enforcement clarification from the kernel community
    The Linux Foundation's Technical Advisory board, in response to concerns about exploitative license enforcement around the kernel, has put together this patch adding a document to the kernel describing its view of license enforcement. This document has been signed or acknowledged by a long list of kernel developers. In particular, it seeks to reduce the effect of the "GPLv2 death penalty" by stating that a violator's license to the software will be reinstated upon a timely return to compliance.

OSS Leftovers

  • 20 Most Promising Open Source Solution Providers - 2017
    Open source has become an imperative part of every developer’s arsenal. The potential to gather assistance from the community and the capacity to link into a range of systems and solutions make open source incredibly powerful. As open source software becomes ubiquitous, and used by the vast majority of enterprises throughout the world, 2017 is all set for vendors of application delivery controller (ADC) to start providing improved and tighter integration packages for various open source projects, especially surrounding ADC-generated telemetry. Companies have been extensively using their analytics and machine learning capabilities for quite some time to identify actionable patterns from the collected data. With the rising demand for business intelligence, this year is foreseen to be the year of information superiority with businesses, leveraging data as a key differentiator. In the past couple of years, containers have been emerging as an imminent trend. As the business focus starkly shifts on rightsizing of resources, containers are expected to become a common phenomenon, giving businesses the ability to leverage highly portable assets and make the move into micro services much simpler. Adjacently, automation has become essential now. Mostly intensified by DevOps adoption, the automation of software delivery and infrastructure changes have freed developers to spend more time creating and less time worrying about infrastructure.
  • DevOps pros and open source: Culturally connected
    Like chocolate and peanut butter, DevOps and open source are two great tastes that taste great together. For many DevOps pros, it's the perfect cultural and technical match.
  • Interoperability: A Case For Open Source - GC@PCI Commentary
    He continues: “An open source model allows companies to see the assumptions behind the calculation and lowers the cost of entry into the cat modeling business. More importantly, the standardized and interoperable hazard, vulnerability and financial modules included in a true open source model facilitate the collaboration of data from insurers, reinsurers, entrepreneurs, scientists, computer programmers and individuals, all of which may result in a new generation of cat models.”
  • DevOps Skills Are Key to Collaboration within Organizations
    DevOps is one of the most highly sought skills employers are seeking to fill among 57 percent of respondents in the 2017 Open Source Jobs Report, from Dice and The Linux Foundation. Specifically, firms are looking for developers (73 percent) and DevOps engineers (60 percent).
  • Projects You Can Help With For Advancing Open-Source NVIDIA "Nouveau" Graphics
    Longtime Nouveau contributor Karol Herbst has been working on an updated list of project ideas for new contributors or those that may be wanting to participate in an Endless Vacation of Code / Google Summer of Code.
  • Join The Linux Foundation at Open Source Summit EU for Booth Swag, Project Updates, and More
    Going to Open Source Summit EU in Prague? While you’re there, be sure stop by The Linux Foundation training booth for fun giveaways and a chance to win one of three Raspberry Pi kits.
  • Oracle Promises To Open Source Oracle JDK And Improve Java EE
    Oracle had already announced it would be moving Java EE to the Eclipse Foundation, and the announcements at JavaOne move the language further to a more vendor-neutral future. It's worth noting that the keynote was preceded by a Safe Harbor disclaimer in which Oracle said it could not be held to plans made during the speech, so nothing is actually certain.
  • Linux Kernel Community Enforcement Statement
  • Linux Kernel Gets An "Enforcement Statement" To Deal With Copyright Trolls
    Greg Kroah-Hartman on the behalf of the Linux Foundation Technical Advisory Board has today announced the Linux Kernel Community Enforcement Statement. This statement is designed to better fend off copyright trolls. Among the copyright troll concerns is how a Netfilter developer has been trying to enforce his personal copyright claims against companies for "in secret and for large sums of money by threatening or engaging in litigation."
  • An enforcement clarification from the kernel community
    The Linux Foundation's Technical Advisory board, in response to concerns about exploitative license enforcement around the kernel, has put together this patch adding a document to the kernel describing its view of license enforcement. This document has been signed or acknowledged by a long list of kernel developers. In particular, it seeks to reduce the effect of the "GPLv2 death penalty" by stating that a violator's license to the software will be reinstated upon a timely return to compliance.

Tizen and Android Leftovers

Tizen and Android Leftovers