Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.

Lennart Poettering Wins 2017 Pwnie for Lamest Vendor Response

posted by martyb on Monday July 31 2017, @05:01AM   Printer-friendly
from the imminent-recursion dept.

canopic jug writes:

The 2017 Pwnie winner for lamest vendor response goes to Lennart Poettering for systemd. According to CSO which has reported on it, the Pwnie winners which were announced a few days ago, the summary for Lennart and systemd reads as follows:

The most spectacular mishandling of a security vulnerability by a vendor ended up winning a Pwnie for Lennart Poettering due to SystemD bugs 5998, 6225, 6214, 5144, 6237. The nomination reads: "Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there's no chance that the CVE number will referenced in either the change log or the commit message. But CVEs aren't really our currency any more, and only the lamest of vendors gets a Pwnie!"

Original Submission

 
This discussion has been archived. No new comments can be posted.
Lennart Poettering Wins 2017 Pwnie for Lamest Vendor Response | Log In/Create an Account | Top | 73 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Informative) by Anonymous Coward on Monday July 31 2017, @09:03AM (1 child)

    by Anonymous Coward on Monday July 31 2017, @09:03AM (#547048)

    which is basically never if all you do it cat a given file to the screen

    You don't cat a file to the screen, you cat it to a terminal. And doing so with text from unknown origin may well be a security problem:
    https://nvd.nist.gov/vuln/detail/CVE-2003-0063 [nist.gov]
    https://nvd.nist.gov/vuln/detail/CVE-2008-2383 [nist.gov]
    https://nvd.nist.gov/vuln/detail/CVE-2010-2713 [nist.gov]
    https://nvd.nist.gov/vuln/detail/CVE-2012-3515 [nist.gov]
    https://nvd.nist.gov/vuln/detail/CVE-2014-3121 [nist.gov]

    Note that less by default converts those escape sequences to safe text, so it is a safer way to view text files.

    Starting Score:    0  points
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Total Score:   1  

  • (Score: 5, Insightful) by ledow on Monday July 31 2017, @11:13AM

    by ledow (5567) on Monday July 31 2017, @11:13AM (#547089) Homepage

    Those are:

    XTerm
    XTerm
    VTE
    QEmu
    and rxvt

    DATA HANDLING ISSUES. Nothing to do with cat. It's like saying that "Apache" compromised your database because an employer put the whole list in a public_html folder.

    And cat is dumb - it's the things that try to get clever and interpret data (e.g. terminals, less, etc.) that are the ones most likely to cause the problems. Acting on untrusted data is something that no program should mess with lightly. These programs did it and got it wrong. cat doesn't try. Which is why the CVEs listed have nothing to do with cat, but what happens when you put an escape sequence FROM ANY SOURCE into XTerm, etc. without checking it properly first.