Language Selection

English French German Italian Portuguese Spanish

Insecurity blues: What I learned from my buggy code

Filed under
Software

It hasn't been a good month for my code. Samba, the project I'm responsible for, has had to announce several security flaws. Unfortunately some of them were in code I wrote. I always do a large amount of soul-searching whenever that happens. There's nothing worse than finding out something you were responsible for is the cause of many thousands of people having to waste their time rolling out patches. It always makes me wonder if the time has come to give up this programming lark and end my days peacefully in management, messing up other people's code instead of creating my own.

It's very educational however to look at the causes of the flaws, and try and learn what we can from the bugs and also our reactions to them. Samba is an old program. The initial code was originally written 15 years ago. At that time, modern security problems such as integer wrap (where adding two numbers together can end up with a number smaller than both of them, due to the fixed sizes of integers that processors deal with), or heap overflow vulnerabilities (where overwriting unallocated memory on the program heap can allow a clever attacker to seize control of a program) were unheard of. We knew about buffer overruns (where reading more data into a buffer than was originally allocated for it can cause a security breach) and denial of service attacks, but 1992 was a simpler, less hostile time for network software development. Most initial deployments of Samba were on networks isolated from the main Internet, by technically advanced administrators who knew how to download the source code from the Internet.

More here




More in Tux Machines

Linux Devices

Open Source Software A Core Competency For Effective Tech M&A

Imagine your company just acquired its competitor for $100 million. Now imagine the company’s most important asset – its proprietary software – is subject to third-party license conditions that require the proprietary software to be distributed free of charge or in source code form. Or, imagine these license conditions are discovered late in the diligence process, and the cost to replace the offending third-party software will costs tens of thousands of dollars and take months to remediate. Both scenarios exemplify the acute, distinct and often overlooked risks inherent to the commercial use of open source software. An effective tech M&A attorney must appreciate these risks and be prepared to take the steps necessary to mitigate or eliminate them. Over the past decade, open source software has become a mainstay in the technology community. Since its beginnings, open source software has always been viewed as a way to save money and jumpstart development projects, but it is increasingly being looked to for its quality solutions and operational advantages. Today, only a fraction of technology companies do not use open source software in any way. For most of the rest, it is mission critical. Read more

AMD Graphics

SUSE Leftovers

  • Git, Kernels, LightDM, More update in Tumbleweed
    Topping the list of updates for snapshot 20161129 was the update to Light Display Manager 1.21.1, which added an Application Programming Interface (API) version to the greeter-daemon protocol for future enhancements. Other updates in the snapshot include openVPN, which added a recommended utility for network and traffic protocols, and subpackages for systemd relevant for 32-bit users. Desktop manager xfdesktop updated to version 4.12.3 and introduced rotating wallpaper images if the images contain rotation information. The programming language vala, which aims to bring modern programming language features to GNOME developers without imposing any additional runtime requirements, updated in the 20161129 and 20161201 snapshots.
  • openSUSE Leap 42.1 upgrade to Leap 42.2
  • openSUSE Tumbleweed – Review of the Week 2016/49
    I’m sure nobody doubted it, but Tumbleweed is back on the roll! And in fact, we did the impossible and released 8 snapshots in a week. This review will cover {1201..1208}.