[ Home | Articles | Account | People | Projects | FAQ ] 8 May 2006 (updated 10 May 2006 at 18:54 UTC) »
I've been playing around with ancient version control programs like SCCS (in the form of GNU CSSC) and RCS, and it's interesting to note how many of the not-so-obvious but still important features were present that early on. Do the current version control systems suffer slightly from creeping featurism? Discuss among yourselves. Rhetorical question - answer within.
The song "Laughter" by The Fine Arts Showcase is really, really beautiful.
Apart from that, I've mostly been carrying my briefcase to the office.
There was a new announcement about the architectures in Debian etch. It will be interesting to see how things finally turn out.
I forgot to write about it earlier, but the US-CERT published a vulnerability note about my old bugs in unace, after the same guy at Secunia Research found about six other products that were affected by the bugs as they incorporated the unace code. The Secunia guy is obviously my biggest fan, and I'll send him a signed photo real soon..
I've almost finished reading Beijing Doll, which I bought in Minneapolis last summer. It's OK but nothing special. I suppose being a punk rock rebel is more of a new idea in China than here in Europe. She'll probably write something better later on, though.
Apart from that, I've mostly been working and celebrating Christmas.
I'm getting very bored of writing here, so I probably won't update this diary very often in the future. Many thanks to those who rated, voted for and e-mailed me about it! It's nice to know that some people appreciate my work for the free/open source software community.
Happy new year,
Ulf
I haven't worked on any big Linux project recently. However, I submitted some bugs and patches to spamassassin, and I've found a buffer overflow vulnerability in unalz when it extracts ALZ archives. I haven't seen many of those archives, but I like being thorough and check all programs in a category and not just the most popular ones. The unalz bug got average grades from the security reviewing office workers (none of whom could write a simple C program to save their lives).
In more exciting news, Drupal has started using an HTML filtering library based on my kses library.
I've mostly been busy with my day job. I really like it, as I get to code networking applications which I find much more exciting than web publishing systems and as the tasks are more challenging than in other companies.
That don't impress me much
As I'm now gainfully employed, you can't write to me at my @student.uu.se e-mail address anymore. You have to use the one at my person page here at Advogato.
"You keep hangin' 'round me / And I'm not so glad you found me / You're still doing things that I gave up years ago"
-- Lou Reed
The new Ladytron record was a disappointment! They have changed their style quite a bit and started playing overblown alternative rock with bad melodies and a slick production that may or may not have anything to do with having signed to a big record label recently. It's OK and everything but it's much worse than the other two albums.
The new alternative comic album by the Swede Mats Jonsson is also a departure - much darker, less humour, different subject matter, less stuff that I could relate to - but I quite liked it, especially the "being scared out in the woods" part.
Computer security for laymen
A race condition is what occurs when you leave the washing room, enter the pitch black corridor, and the monsters manage to catch you before you reach the light button (which of course destroys all monsters just milliseconds before turning on the light).
The Nethack Linux distribution is definitely ready for the desktop ;)
Tools & Tips for auditing code (not for the clueless JT or PÖ people out there though)
I have a new job! I've been studying literature for a while, and the course was really interesting with good teachers and classic but readable books. I didn't really get to know the other students though - they found me really old and talked to me in that dinner-with-Grandpa tone of voice ("Yes, Grandpa, I go to church every Sunday. No, Grandpa, I never listen to any of that sinful jazz music."). Consequently, I've given up on it to work and earn some money again.
"Winter" from the first Tori Amos record is really moving. I've bought new records from Ladytron (!!), Broadcast and Sibiria, but I haven't listened to them enough yet to have an opinion.
To keep on bullying^Wreviewing Linux distributions, I've installed Mandriva/Mandrakelinux/Mandrake Linux (whatever) now, as promised earlier. I found it stylish and helpful and equipped with a nice collection of software. On the other hand, I had some installation problems: it left me with a U.S. keyboard, X expected to find the mouse at /dev/mouse and not /dev/mouse0 so it couldn't access it at all, and I couldn't access the floppy drive either. All these problems were easy to solve, but seeing as they target newcomers to Linux, perhaps they should polish their installation system a bit more so people won't end up with a broken system. Some people don't want to use emacs to edit XF86Config, you know.
Vanity Fair
Some guy e-mailed me about one month ago and asked how to find vulnerabilities in software. (Respectable enough, as long as they don't ask "can u t3ach m3 2 b-c0m3 a 31337 h4xx0r" it's fine.) Here is an expanded version of my reply:
To find new vulnerabilities, first you need to know the programming language and environment well, so study C and so on if you don't. Theo de Raadt from OpenBSD says that security problems are quality problems with people making subtle mistakes, and you won't find those mistakes unless you know better than the original authors how things work.
Some people (JT!!) that asked this question earlier seemed to expect an answer of the type "look for all strcpy() calls". Unfortunately, there is no such answer, because it depends on the program. Functions like strcpy(), strcat(), sprintf(), strncpy(), strncat(), sscanf() and so on are sometimes buffer overflows, sometimes not. To do this well, you should learn C and not just look for certain strings in code that you don't understand at all.
You'll probably need a program for source code navigation, so you'll quickly find all places where an interesting function in the program gets called. Some nice open source programs for that include lxr, gonzui and cscope.
Some people also find automated scanning programs like flawfinder and rats helpful. I don't, really, but they might be worth checking out.
Good luck!
(That probably sounded horribly vain, but that goes with the genre, I guess. Is it even possible to write blogs or Internet diaries without sounding like you're bragging?)
xyzzy
"Whereof one cannot speak, thereof one must be silent." -- Ludwig Wittgenstein
I have found a buffer overflow in good old Elm and the way it handles Expires headers in e-mail messages ( Secunia || Frsirt -- Critical! Yay! Their highest rating! || an exploit ).
I have also found a format string bug in simpleproxy that gets hit when remote HTTP proxies send back malicious data ( Secunia || Frsirt ).
abi: Did you know that The Trashmen's Surfin' Bird is a medley of two earlier songs? I thought that was weird, as it's such a primitive song (which might not be a bad thing, since it's rock music we're talking about).
SITIC (our original text)
Secunia ||
nvd.nist.gov i
ii ||
securitytracker.com ||
securiteam.com ||
frsirt.com ||
heise.de ||
seguridad.unam.mx ||
outpost24.com ||
linux.org.ru ||
actinet.cz
I'm quite proud!
If we move on to less commercial activities, Dirk has given me commit rights to Pavuk's CVS repository, so I've committed lots of fixes for the Pavuk code and the website.
I've studied the Internet services LDAP and SNMP recently, to learn something new and broaden my horizons. LDAP is nice, but to me SNMP seems overly complex for what it does, but that sentiment may come from being an SNMP n00b that doesn't know what he's talking about.
I wrote about wanting to try some new Linux distributions earlier, and now I've finally done so. SUSE Linux has lots of programs and has a serious German quality engineering feel to it. On the downside, there's too much non-free software in it, and the fact that both KDE, GNOME and general X Window System installs seem to require all five CD's (instead of, say, putting GNOME stuff on disc 2-3 and KDE stuff on disc 4-5) wasn't a very good idea at all. Next victim up for ignorant mini-review: Mandrakelinux.
Questionable Content is an enjoyable web comic about the indie music scene and human relations.
31 Jul 2005 (updated 1 Aug 2005 at 07:18 UTC) »
My mailx overflow patches are now accepted into OpenBSD. Finding obscure overflows in OpenBSD (these and one of the Apache bugs last year) makes my day, as these guys are the kings of finding overflows in C code.
Since mailx is an ancient program written by carving C code into stone with primitive knives tens of thousands of years ago when Sweden was uninhabitable and covered in ice [1], I downloaded a few files from The Unix Heritage Society to date the bugs. The scan() overflow was present both in 2BSD and 4.2BSD, making it 26 years old! The off-by-one bug in readtty() was present in 4.2BSD but not in 2BSD, making it a few years younger.
copycat
Secunia Research has found some vulnerabilities in Avast Antivirus's handling of ACE archives. They are "related" to my old bugs in unace.
misc
I have done yet more patching of pavuk (potential overflows, noting Slovak text that should be translated, ...) after a long break. I have discovered the really nice supertux game (a Super Mario Bros/Giana Sisters clone starring Tux the penguin), and I've already completed playing all 26 main levels (boast boast) but not the bonus levels yet. I've also started auditing netcat on paper at the local Hugo's cafe. Paper auditing seems like a convenient technique which however must be limited to smaller programs, unless someone else pays for the printer paper and the toner.
The "Building an OpenBSD port" page has some security advice. Joachim Breitner has an interesting paper about his new Cross Site Auth attack.
Now I'll finish my laundry and then it's time to go back to the Blow up a Panda music festival for the second day.
"Dom ringde den feta killen / pervot i Happiness / jag var hans body-double / men jag var mer övertygande / jag gjorde en snabb karriär" (Vapnet - "Seymour")
[1] Some would say it still is. We had really nice weather in the beginning of July, though.
The off-by-one bug that I found in mailx earlier also exists in nail. You're not supposed to access buf[sizeof(buf)] - it's not a part of buf. I've also been auditing GNU Wget lately.
At least one guy thinks you're a guru if you audit code for Debian..
Lately I've seen Clem Snide and Erik Aschan Zürcher play live, and I've also celebrated the lovely Swedish summer by having some fun in general with people I know.
richdawe: One solution to this problem might be to package the broken HTTP requests or e-mail messages. If a server receives an e-mail message with two Content-Type headers, it should construct a new head with the Content-Type text/plain and put the entire broken message (head+body) in the body, so it is shown as text. That way, the users will get to read any potentially valuable textual information in the broken messages, but they won't be exposed to any vulnerabilities or bugs resulting from different programs parsing broken messages differently.
FOAF updates: Trust rankings are now exported, making the data available to other users and websites. An external FOAF URI has been added, allowing users to link to an additional FOAF file.
Keep up with the latest Advogato features by reading the Advogato status blog.
If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!
