Language Selection

English French German Italian Portuguese Spanish

Insecurity blues: What I learned from my buggy code

Filed under
Software

It hasn't been a good month for my code. Samba, the project I'm responsible for, has had to announce several security flaws. Unfortunately some of them were in code I wrote. I always do a large amount of soul-searching whenever that happens. There's nothing worse than finding out something you were responsible for is the cause of many thousands of people having to waste their time rolling out patches. It always makes me wonder if the time has come to give up this programming lark and end my days peacefully in management, messing up other people's code instead of creating my own.

It's very educational however to look at the causes of the flaws, and try and learn what we can from the bugs and also our reactions to them. Samba is an old program. The initial code was originally written 15 years ago. At that time, modern security problems such as integer wrap (where adding two numbers together can end up with a number smaller than both of them, due to the fixed sizes of integers that processors deal with), or heap overflow vulnerabilities (where overwriting unallocated memory on the program heap can allow a clever attacker to seize control of a program) were unheard of. We knew about buffer overruns (where reading more data into a buffer than was originally allocated for it can cause a security breach) and denial of service attacks, but 1992 was a simpler, less hostile time for network software development. Most initial deployments of Samba were on networks isolated from the main Internet, by technically advanced administrators who knew how to download the source code from the Internet.

More here




More in Tux Machines

Red Hat Enterprise Linux 7.1 Officially Released with Support for Linux Containers

Red Hat was proud to announce earlier today, March 5, the availability of the first maintenance release of its Red Hat Enterprise Linux 7 operating system for computers, used in numerous enterprises worldwide. Red Hat Enterprise Linux 7.1 contains a great amount of bug fixes and improvements over the previous release, as well as various new features. Read more Also: iSER target should work fine in RHEL 7.1

Help: Linux to the rescue of older operating systems

As you know, when someone offers free stuff, we give it a few weeks in order to give each group, organization or individual in need a chance to respond. That’s what we’ll do with Mary Greenfield’s generous offer to donate free fabric, so give it another week and then we’ll forward responses to her. One of the most rewarding aspects of writing this column is realizing that it generates discussion, and here’s a response to that question about updates for an older computer running Windows ME... Read more

Open source used to manage Figueres’ environment

The Spanish town of Figueres is relying on free and open source software to help manage its urban and natural environment. Fisersa Ecoserveis, an environmental company, is using a range of open source solutions to create, update and manage interactive geographic maps, used for monitoring and planning the city’s green spaces. Read more

I/O-rich SBC runs Linux on Cortex-A9 Sitara SoC

MYIR launched a “Rico” SBC for TI’s Cortex-A9 AM437x SoC, with an open Linux BSP, 4GB of eMMC flash, and coastline GbE, HDMI, and USB host and device ports. Read more