Upgrade ethereal please. . .
Nathan R. Valentine
nathan at nathanvalentine.org
Tue Mar 15 10:22:35 CST 2005
> It's not like this is amazing that it's in ethereal; it's just ironic
> that a security tool has a huge security hole, and of course any
> security hole should be a priority fix (Gentoo policy I believe mandates
Though it isn't surprising if you think about it. One of the hardest
things to do absolutely correctly with C-family languages is low-level
parsing of byte fields/strings and yet this is the language that most of
the sniffer tools use. Not that I don't understand their choice of
development language. Just pointing out that it is a Catch-22 of sorts.
Choose another language and lose some speed and developer know-how;
choose language that requires direct management of memory and make it
easier for developer to make errors that result in dramatic security
problems.
You see the same kinds of issues with tcpdump, snort, and other
low-level security tools that are written in languages that allow direct
memory mangling.
--
---
Nathan Valentine - nathan at nathanvalentine.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20050315/688c85d1/attachment.pgp
More information about the ubuntu-devel
mailing list