tech-pkg: Re: What to do about unfixed vulnerabilities?

Subject: Re: What to do about unfixed vulnerabilities?
To: None <agc@pkgsrc.org>
From: Matthew Orgass <darkstar@pgh.net>
List: tech-pkg
Date: 10/24/2000 22:50:23

On Tue, 24 Oct 2000, Alistair Crooks wrote:
> On Mon, 23 Oct 2000 19:57:30 -0400 (EDT), Matthew Orgass wrote:
> 
> I disagree - I am in no position to tell people what programs they must, or
> must not, use. I am in a position to advise them on bad practices, however,
> and that's why bsd.pkg.mk displays a warning when a vulnerable package is
> installed, or the audit-packages script is run.

  Ok, but they should be forced to read the notice before installing it. 
Even once the current problems are fixed, I think the notice should remain
until there is some reason to believe that other similar problems will not
be found in the future.  This isn't the first overflow problem in pine and
given the FreeBSD comment probably will not be the last.

  Mutt does look like a reasonable alternative, though it isn't nearly as
nice as pine.  Things are at least done generally the same way, unlike
other text mailers I've seen.

> And to come to the defence of Hubert, the advisory he put in our
> vulnerabilities file covered simply the Denial of Service one
> (http://www.securityfocus.com/advisories/2646), not the buffer overflow one
> that you reference. I should have found that one in my trawl through recent
> advisories on the Security Focus web site when I was populating the
> vulnerabilities file, but it evidently fell through my net. Apologies, mea
> culpa, it's a fair cop, guv, you've got me bang to rights. 

  Sorry, I didn't mean to blame you for not finding it origionally. 
NetBSD can't be responsible for the security of the packages, so providing
information as discovered is the best that can be expected.  I was mainly
reacting to Hubert's comment when informed of the situation (though,
having made a similar mistake myself, I can certainly relate to
misinterperating something like that after reading enough messages where
people really are talking about a different operating system).

> PS. This whole pine thing has shown me one thing - the need for a package
> like audit-packages, and a wish that we'd implemented something like this
> long ago.

  Yes, thanks for writing it!

Matthew Orgass
darkstar@pgh.net