Re: lynx-dev Lynx buffer mismanagement

[Theo de Raadt]

> all one can really say to Mr de Raadt is
> that he's the first person ever to make any such claim (in my memory):
> Lynx has many users & is supported by some pretty good programmers
> & no-one has run into security or other problems due to buffer overflows
> or at most only very occasionally during the past couple of years.

That's funny.  There's a thread right now on the bugtraq mailing list
about a buffer overflow security hole in the mailto support.  Two
months ago, there was a report about the /tmp races in lynx.

There will be more such threads.  You can bet on it.

> if he wants to be taken seriously anywhere anytime by anyone,
> he must be prepared to back his generalisations with concrete instances:
> if any member of lynx-dev is going to listen to him,
> he must provide  >= 1  case where there is a potential buffer overflow
> which would cause a crash or a security hole;

That has already been done on bugtraq, a full disclosure mailing list
which all the crackers subscribe to.  Now let me guess, you will now
propose that those two little problems get solved, and that everyone
waits for the next problem to be found, before any further work gets
done?  There's no need to do any preventative work, is there.

> if he won't do that, it should be clear to everyone that he can't:
> we know Lynx very well & it's a pretty reliable product.

I've got a question: Anyone ever seen a lynx crash or coredump?  If
you have, all of those those indicate potential security holes.
Now.. none of you have ever seen a lynx coredump, right?

> > I'll continue to put lynx in the class of "buffer overflow disasters"
> > when people ask me for examples at my talks.
> 
> it's like someone walking into a store & telling everyone:
> "Hey! this stuff's all garbage! why don't you clean the place up?
> it's not even safe! i'm going to warn everybody about it".
> 
> if Mr de Raadt were to do that with a commercial software product,
> he would find himself on the receiving end of a hefty law-suit,
> to which he would -- on present evidence -- have no defense.

I doubt that.  I live in Canada, as do you, and sorry, that's just not
how our legal system works (companies in Canada who try to find it is
basically impossible to sue individuals).  That said, I don't run
commercial software (but as a result I do end up running equally
crappy free software anyways, sometimes).

> my main reason for bothering to reply at length to this guy is
> to forestall any waste of anyone's valuable time on him,
> assuming he continues to refuse to put his data where his mouth is.

Hmm.. You have no idea who I am.. I have experience with how security
problems should be dealt with.  I suggest you take a look at
http://www.openbsd.org/security.html, and you might learn something
about how a more qualified sense of security is gained.  It's through
effort at cleaning up all the little details, not through responding
to problems months after they are posted on security mailing lists,
which is often 6 months after the problem is well known in certain
circles.

Yes, I come off sounding cocky -- that comes from having been involved
in the largest free software security audit process ever taken, with
quite remarkable success.  But you come off sounding cocky, uneducated,
and uninformed.