Firefox buffer overflow and full disclosure
Posted Sep 15, 2005 23:47 UTC (Thu) by cventers
In reply to: Firefox buffer overflow and full disclosure
Parent article: Firefox buffer overflow and full disclosure
The page you linked points out a memory exhaustion condition and a
so-called "bounce flood". The memory exhaustion attack is addressed here:
As for the bounce flood, I don't see how you can consider this a security
problem because the size of the input is 1:1 the size of the output...
ie, send a 5 mb message, get 5 mb back.
Qmail is a huge target because of DJB's attitude and security guarantee,
plus its reputation. So far the only "security problems" anyone can point
out are total grabbing-at-the-straws attempts where you don't set ulimits
(the procedure is described all over his site, and all the other Qmail
sites as well), etc.
I'd say that Qmail is the most secure daemon that there ever was, period.
It's in huge and widespread use and despite an entire community of
hackers that hate Dan, no one has actually managed to execute arbitrary
code - or certainly, obtain root privileges.
That's beside the point anyway. My point is that buffer overflows and
other "escalated privileges" bugs are not at all a fact of life...
they're a result of lazy programming and/or cluelessness. Sure, we all
make mistakes... but I think Dan's qmail demonstrates that good design
and careful programming can produce software that doesn't break. Firefox
is certainly way on the other end of the spectrum, second to only
Internet Explorer in its number of exploits.
to post comments)