Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in - Mailing list pgsql-hackers

From Rod Taylor
Subject Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in
Date
Msg-id 1029951006.35003.15.camel@jester
Whole thread Raw
In response to Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in  (Bruce Momjian <pgman@candle.pha.pa.us>)
Responses Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in
List pgsql-hackers
On Wed, 2002-08-21 at 13:13, Bruce Momjian wrote:
> Justin Clift wrote:
> > Bruce Momjian wrote:
> > > 
> > > Justin Clift wrote:
> > > > Only two things which have the potential to be worth waiting for, from
> > > > what I'm aware of.  There may be others:
> > > >
> > > >  - Find out from Sir Mordred if he wants to take a look at the CVS
> > > >    version of code and audit in that for a bit, Just In Case he turns
> > > >    up something that's serious and requires substantial re-work.
> > > >    Although it means he wouldn't have a bunch of "I found this existing
> > > >    exploit" type releases, we could instead offer him credit on the
> > > >    press release along the lines of "This released has been audited for
> > > >    security flaws in its code by Sir Mordred".  Am pretty sure he'd
> > > >    do a very thorough job for that, as it means he'd have an official
> > > >    "product reputation" he'd need to stand by for it.
> > > 
> > > This is interesting.  He would have a month to do it.
> > 
> > Reckon it's worth asking him, to find out if he'd be interested in this?
> 
> 
> I wouldn't do it yet until we know if we are going to delay.

I'd ask anyway.  99% of the issues he finds will be fairly localized. 
Anything truly new (not on TODO already) will probably require a fair
bit of time to track down, then fix time on top (2 months delay?).

Anyway, these types of discoveries are better in beta than after the
release and would still warrent a mention if there is a fair amount of
ground covered.


Personally, I'd be more interested in whats safe (covered) than whats
broken.  Posting the successful test cases as some proof rowards
stability / security of the new release would realize immediate gains in
settling nervous VPs about the new installation.




pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL
Next
From: Bruce Momjian
Date:
Subject: Re: @(#)Mordred Labs advisory 0x0004: Multiple buffer overflows