curl-library
Re: Sourcemage insults
Date: Mon, 7 Mar 2005 09:19:54 -0600
On Mon, 7 Mar 2005 09:02:50 -0500, Lars Nilsson <chamaeleon_at_gmail.com> wrote:
> On Mon, 7 Mar 2005 08:52:17 -0500, Jean-Philippe Barrette-LaPierre
> <jpbarrette_at_savoirfairelinux.net> wrote:
> > On March 7, 2005 08:39 am, Jean-Philippe Barrette-LaPierre wrote:
> > > On March 7, 2005 08:10 am, Ralph Mitchell wrote:
> > > > Do they have any kind of ,mailing list we could join and let their
> > > > users know the truth?? I'll have a look later when I'm more awake.
> > >
> > > They submitted a bug report:
> > > http://www.securityfocus.com/archive/1/391042
> > >
> > > discusted in this thread:
> > > http://curl.haxx.se/mail/lib-2005-02/0172.html
> >
> > But I searched in the curl-user, curl-library mailling-lists and I couldn't
> > find anything that they could have sent.
>
> I believe that is the point. The curl mailing list thread is a
> discussion of the patch, once the "advisory" (not sure why I use a
> polite term) was already made public and information did trickle down
> to Daniel and others. Posting something to a securityfocus mailing
> list does not constitute advance notice or vendor notification either,
> of course.
>
> My personal belief (incorrect perhaps, but I'm holding on to it until
> presented with evidence to the contrary) is that some people hunting
> for bugs does not particularly care to have the vendor fix the problem
> before letting the rest of the world know to boost their own ego.
You could well be right in that belief.
There's one other package listed in the Sourcemage FTP with a
SECURITY file, and that's wget:
Please note that due to the poorly written nature of wget,
use of wget
especially with -x and -r can be risky.
See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=261755
We have applied the control character patch and development
versions of
sorcery avoid the other vulnerabilities listed.
Hope is that shortly the upstream author of wget will release a new
version to fix everything.
-- Seth Woolley, Security Team Leader, <security_at_sourcemage.org>
I wonder if wget's author was ever informed about it??
It's possible that the Sourcemage guys are simply parrotting what was
put in the Bugtraq advisory. If you Google for the email address of
the guy credited with the discovery, you'll see similar comments
cropping up in Suse, Debian and other places:
http://www.google.com/search?q=infamous41md+curl&hl=en&lr=&start=0&sa=N
so everybody is repeating Bugtraq without bothering to check with the
package author.
And this: http://infamous.hackaholic.org/ may well be his homepage.
Interesting reading... Curl isn't the only package he's searching
for exploits.
Ralph
Received on 2005-03-07