[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Calysto v1.5 reports on openldap_v2.4.4alpha

To: Domagoj Babic <babic.domagoj@gmail.com>
Subject: Re: Calysto v1.5 reports on openldap_v2.4.4alpha
From: Pierangelo Masarati <ando@sys-net.it>
Date: Tue, 21 Aug 2007 10:27:21 +0200
Cc: openldap-bugs@openldap.org
In-reply-to: <e3684ba30708210116w55ededd8w6d72bd7cc1d0ef8@mail.gmail.com>
References: <e3684ba30708180558q2d91426ar1d585f0a15113fe9@mail.gmail.com> <e3684ba30708201202x32de67dfye9fa6521753f6415@mail.gmail.com> <1B9735D7-D7D3-44B8-A351-61C81F5B74F7@OpenLDAP.org> <e3684ba30708201255p34fb56a0xb7830846b5aec1df@mail.gmail.com> <771CFABC-DF6B-43A8-99A5-A3F99729C7F7@openldap.org> <46CA971A.4040900@sys-net.it> <e3684ba30708210047w66114efdx341cacb71a71c1eb@mail.gmail.com> <46CA9B8C.7000301@sys-net.it> <e3684ba30708210116w55ededd8w6d72bd7cc1d0ef8@mail.gmail.com>
User-agent: Mail/News 1.5.0.8 (X11/20061210)

Domagoj Babic wrote:

> Ok, thank you a bunch for the clarification.

> This might be especially relevant to buffer overrun checking

exactly

> However, Kurt, on the behalf of the OpenLDAP Foundation, explicitly
> stated that the foundation is not interested in having the code
> statically checked, so I won't be sending reports (except for one
> more I have already generated).

I don't think he said exactly that.  I believe he said the project is
not interested in receiving plain reports just for the purpose of
debugging Calysto (nothing personal: only, we're just a few volunteers,
and we cannot dedicate too much time in reviewing reports potentially
filled by false positives).  If you put some effort in separating what
could be critical from what isn't likely, any report would be welcome.

For example, I'm reviewing your initial submission and, apart from
what's directly related to the clients, there are a couple of reports
that may require some action.  I'll post about my findings later, on a
private basis.  Only, I'm not going to do this routinely and too often.

> Once Calysto becomes publicaly available, you might actually get in a
> position where other people will be capable of finding exploits
> automatically --- every great technology has its dark side :-)

I know.  That's why I'm not going to entirely decline the reports you
offered to submit.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

Follow-Ups:
- Re: Calysto v1.5 reports on openldap_v2.4.4alpha
  - From: Kurt Zeilenga <kurt@OpenLDAP.org>

References:
- Calysto v1.5 reports on openldap_v2.4.4alpha
  - From: "Domagoj Babic" <babic.domagoj@gmail.com>
- Re: Calysto v1.5 reports on openldap_v2.4.4alpha
  - From: Kurt Zeilenga <kurt@OpenLDAP.org>
- Re: Calysto v1.5 reports on openldap_v2.4.4alpha
  - From: "Domagoj Babic" <babic.domagoj@gmail.com>
- Re: Calysto v1.5 reports on openldap_v2.4.4alpha
  - From: Kurt Zeilenga <kurt@OpenLDAP.org>
- Re: Calysto v1.5 reports on openldap_v2.4.4alpha
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: Calysto v1.5 reports on openldap_v2.4.4alpha
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: Calysto v1.5 reports on openldap_v2.4.4alpha
  - From: "Domagoj Babic" <babic.domagoj@gmail.com>

Prev by Date: Re: Calysto v1.5 reports on openldap_v2.4.4alpha
Next by Date: (ITS#5100) libldap allows controls to have NULL oid
Index(es):
- Chronological
- Thread