Language Selection

English French German Italian Portuguese Spanish

Insecurity blues: What I learned from my buggy code

Filed under
Software

It hasn't been a good month for my code. Samba, the project I'm responsible for, has had to announce several security flaws. Unfortunately some of them were in code I wrote. I always do a large amount of soul-searching whenever that happens. There's nothing worse than finding out something you were responsible for is the cause of many thousands of people having to waste their time rolling out patches. It always makes me wonder if the time has come to give up this programming lark and end my days peacefully in management, messing up other people's code instead of creating my own.

It's very educational however to look at the causes of the flaws, and try and learn what we can from the bugs and also our reactions to them. Samba is an old program. The initial code was originally written 15 years ago. At that time, modern security problems such as integer wrap (where adding two numbers together can end up with a number smaller than both of them, due to the fixed sizes of integers that processors deal with), or heap overflow vulnerabilities (where overwriting unallocated memory on the program heap can allow a clever attacker to seize control of a program) were unheard of. We knew about buffer overruns (where reading more data into a buffer than was originally allocated for it can cause a security breach) and denial of service attacks, but 1992 was a simpler, less hostile time for network software development. Most initial deployments of Samba were on networks isolated from the main Internet, by technically advanced administrators who knew how to download the source code from the Internet.

More here




More in Tux Machines

Leftovers: Software

  • HandBrake 1.0.2 Open-Source Video Transcoder Released for Linux, Mac and Windows
    After more than 13 years of development, the HandBrake open-source video transcoding app reached 1.0 milestone on Christmas Eve last year, and the second bugfix release is already available. HandBrake 1.0.2 is full of improvements and bug fixes enhancing the out-of-the-box video, audio, and subtitles support, but also adds various platform specific changes for all supported operating systems, including GNU/Linux, macOS, and Microsoft Windows.
  • SMPlayer 17.1 Open-Source Video Player Introduces Chromecast Support, More
    It's been two and a half months since you last updated your SMPlayer open-source video player, and a new stable release is now available, versioned 17.1, with some exciting features. Sporting initial Chromecast support, SMPlayer 17.1 will let you send video files from your personal computer to your Chromecast device to watch them on your big-screen TV, or your friends for that matter. The feature supports both online and local sources, including those from popular video hosting services like YouTube and Vimeo.
  • Firefox 51 Released with FLAC Support, Better CPU Usage
    A new month means a new release of the venerable Mozilla Firefox web browser. Firefox 51 ships with FLAC support, WebGL 2, and a whole heap more — come see!
  • Mozilla Firefox 51.0 Now Available for Download, Supports FLAC Playback, WebGL 2
    It's not yet official, but the binary and source packages of the Firefox 51.0 web browser are now available for download on your GNU/Linux, macOS, or Microsoft Windows operating system. Mozilla will have the pleasure of unveiling the Firefox 51.0 release tomorrow, January 24, according to the official schedule, but you can already get your hands on the final version of the web browser by downloading the installers for your favorite OS right now from our website (links are at the end of the article).

OSS Leftovers

  • Berkeley launches RISELab, enabling computers to make intelligent real-time decisions
  • Amazon, Google, Huawei, and Microsoft sponsor UC Berkeley RISELab, AMPLab's successor
  • Brotli: A new compression algorithm for faster Internet
    Brotli is a new open source compression algorithm designed to enable an Internet that's faster for users. Modern web pages can often be made up of dozens of megabytes of HTML, CSS, and JavaScript, and that's before accounting for images, videos, or other large file content, which all makes for hefty downloads. Such loads are why pages are transferred in compressed formats; they significantly reduce the time required between a website visitor requesting a web page and that page appearing fully loaded on the screen and ready for use. While the Brotli algorithm was announced by Google in September 2015, only recently have the majority of web browsers have adopted it. The HTTP servers Apache and nginx now offer Brotli compression as an option. Besides Google, other commercial vendors (such as Cloudflare and DreamHost) have begun to deploy support for Brotli as well.
  • New Year’s resolution: Donate to 1 free software project every month
    Free and open source software is an absolutely critical part of our world—and the future of technology and computing. One problem that consistently plagues many free software projects, though, is the challenge of funding ongoing development (and support and documentation). With that in mind, I have finally settled on a New Year’s resolution for 2017: to donate to one free software project (or group) every month—or the whole year. After all, these projects are saving me a boatload of money because I don’t need to buy expensive, proprietary packages to accomplish the same things.
  • Toyota and Ford Promote Open Source Smartphone Interfaces
    Ford and Toyota have formed a four-automaker consortium to speed up the deployment of open source software for connected in-car systems, according to a report by Bloomberg. The SmartDeviceLink Consortium, which includes Mazda, PSA Group, Fuji, and Suzuki, aims to prevent Apple and Google from controlling how drivers connect smartphones to their vehicles. Suppliers Elektrobit, Harma, Luxoft, QNX, and Xevo have also joined the organization, which is named after an open source version of Ford’s AppLink connectivity interface, a system used in over 5 million vehicles globally.
  • What your code repository says about you
    "You only get one chance to make a first impression," the old saying goes. It's cliche, but nevertheless sound, practical advice. In the realm of open source, it can make the difference between a project that succeeds and a project that fails. That's why making a positive first impression when you release a repo to the world is essential—at least if your motivations involve gaining users, building a community of contributors, and attracting valuable feedback.
  • The Open Source Way of Reaching Across Languages
    I don’t speak Spanish, but that doesn’t mean I can’t learn some important things from this video. The visuals alone are quite instructive. At my public library job, I mentor a number of wonderful Latino youth. One of them might ask me about open source CAD software — and I’ll direct them right to this FOSS Force article. Of course, I subscribed to the YouTube channel of the creator of this video, and also clicked on its like button. If the screencast creator comes back to look at this video in February, they’ll find that they have a number of new subscribers, a number of likes for the video and the video view count might be more than 100. All those indicators will be encouragement for them to make their next open source screencast. And so it goes. That’s how we support each other in the open source world.
  • School systems desperate for standards-aligned curricula find hope
    Open Up Resources is a nonprofit collaborative formed by 13 U.S. states that creates high-quality, standards-aligned open educational resources (OERs) that are openly licensed under CC BY-SA 4.0. Unlike other providers, Open Up Resources provides curriculum-scale OER options; they believe that while many people seem to know where to find supplemental materials, most curriculum directors would not know where to look if they were planning a textbook adoption next year.
  • Visual Studio Test joins Microsoft's open source push [Ed: More openwashing of proprietary software from Microsoft, which interjects surveillance into compiled code]
  • Microsoft Open-Sources DirectX Shader Compiler [Ed: Windows lock-in.]

Red Hat's Survey in India

From Raspberry Pi to Supercomputers to the Cloud: The Linux Operating System

Linux is widely used in corporations now as the basis for everything from file servers to web servers to network security servers. The no-cost as well as commercial availability of distributions makes it an obvious choice in many scenarios. Distributions of Linux now power machines as small as the tiny Raspberry Pi to the largest supercomputers in the world. There is a wide variety of minimal and security hardened distributions, some of them designed for GPU workloads. Read more