[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Calysto v1.5 reports on openldap_v2.4.4alpha



Pierangelo,

On 8/21/07, Pierangelo Masarati <ando@sys-net.it> wrote:
> You posted to the openldap-bugs mailing list.  This list is for
> discussion about bugs; but to track issues, like a bug report (as yours
> seems to be) you're supposed to file an ITS using the ITS interface
> <http://www.openldap.org/its/>.  This is necessary to keep track of the
> status of your submission, otherwise it's just a bunch of emails,
> eventually destined to the bin.
>
> When you submit a bug, you can mark it as PRIVATE.  This means that the
> bug will only be visible to authorized users (essentially, OpenLDAP
> developers). A PRIVATE ITS means it's only temporarily private, until
> the issue is solved; after that, all the traffic about that ITS becomes
> public.  This feature is solely intended to deal with issues that may
> potentially represent a threat to data security, or system vulnerabilities.
>
> For example, if your static scan just checks for NULL pointer
> dereferencing, without considering the context, as Kurt and Howard
> already pointed out you could find that hundreds of occurrences that a
> test client does not check malloc(3) results without being harmful, and
> one occurrence of the server not checking a pointer at the culprit of
> dealing with requests.  In the latter case, until fixed this would
> expose all deployments of OpenLDAP to denial of service, but it could go
> unnoticed because clobbered by the rest.

Ok, thank you a bunch for the clarification.

This might be especially relevant to buffer overrun checking (that I'm
planning to introduce in the future).

However, Kurt, on the behalf of the OpenLDAP Foundation, explicitly
stated that the foundation is not interested in having the code
statically checked, so I won't be sending reports (except for one
more I have already generated).


Once Calysto becomes publicaly available, you might actually get in a
position where other people will be capable of finding exploits
automatically --- every great technology has its dark side :-)

Cheers,

-- 
        Domagoj Babic

        http://www.domagoj.info/
        http://www.calysto.org/