Re: [Full-disclosure] Secunia Research: Lotus Notes Folio Flat File Parsing Buffer Overflows
On Thu, 17 Apr 2008 23:17:14 CDT, reepex said: > I find it funny you are the one to complain about too many advisories when > you spam the list with sprintf and strcpy bugs you grepped for in random > applications everyday > > On Tue, Apr 15, 2008 at 9:20 AM, Luigi Auriemma <[EMAIL PROTECTED]> wrote: > > It's just like if someone finds a bug in zlib and releases 1 > > advisories, one for each program in the world which uses the library... > > the bug is not in these 1 programs but only in zlib. And in fact, the last time there was a bug in zlib, there *were* a zillion advisories, because at the time, a zillion packages carried their own private copy of zlib around because it may or may not have been available on the target system, or because they statically linked zlib in so just updating the system copy of the shared library doesn't help. Nobody (as far as I know) filed an advisory for packages that used the system zlib, only for those packages that wouldn't be fixed by updating the system copy. I'd be interested in knowing what Luigi would recommend be done for such packages... pgpVmOT3JrLbg.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secunia Research: Lotus Notes Folio Flat File Parsing Buffer Overflows
I find it funny you are the one to complain about too many advisories when you spam the list with sprintf and strcpy bugs you grepped for in random applications everyday On Tue, Apr 15, 2008 at 9:20 AM, Luigi Auriemma <[EMAIL PROTECTED]> wrote: > > Autonomy Keyview Folio Flat File Parsing Buffer Overflows > > Autonomy Keyview Applix Graphics Parsing Vulnerabilities > > Autonomy Keyview EML Reader Buffer Overflows > > activePDF DocConverter Folio Flat File Parsing Buffer Overflows > > activePDF DocConverter Applix Graphics Parsing Vulnerabilities > > Lotus Notes Applix Graphics Parsing Vulnerabilities > > Lotus Notes Folio Flat File Parsing Buffer Overflows > > Lotus Notes EML Reader Buffer Overflows > > Lotus Notes kvdocve.dll Path Processing Buffer Overflow > > Lotus Notes htmsr.dll Buffer Overflows > > Symantec Mail Security Folio Flat File Parsing Buffer Overflows > > Symantec Mail Security Applix Graphics Parsing Vulnerabilities > > 12 mails for the same library? > > >From what I have understood all the bugs are just in this Autonomy > Keyview library so in my opinion reporting the same identical bugs in > each software which uses this thirdy part component and additionally > without saying that the problem in reality is in the library is wrong > and leads to a lot of confusion. > > It's just like if someone finds a bug in zlib and releases 1 > advisories, one for each program in the world which uses the library... > the bug is not in these 1 programs but only in zlib. > > > --- > Luigi Auriemma > http://aluigi.org > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secunia Research: Lotus Notes Folio Flat File Parsing Buffer Overflows
When examining advisory SA28209 http://secunia.com/advisories/28209/ it points to reports listing vulnerabilities in several products and versions (Verity KeyView Viewer SDK 7.x, 8.x, and 9.x) etc. Secunia's Web site lists advisories by a specific product too, see http://secunia.com/product/5570/?task=advisories I believe this is the reason of several advisories. Juha-Matti Erik Harrison <[EMAIL PROTECTED]> wrote: > Its not always easy to know what libs all of your apps are using. Unless of > course you're managing a small set of systems, have a lot of time, or are > particularly godlike at what you do. I think it's great that they identify > the software using it. Frankly, if I'm in an enterprise environment running > Lotus for some god awful reason, that's going to get my attention more than > one of its libraries. > > Yes, it does inflate their stats on number of vuln advisories published in a > year, but whatever - I don't care about that. What's the better way to deal > with it? Try and push one advisory listing 1000 apps affected in its > content? Even then, you're not going to have a accurate list. I think it > -is- better to publish one advisory per affected piece of software. When I'm > skimming the 100 or so that hit my inbox every day, I don't have the luxury > of opening each one. Unfortunate, but that's reality of most security staff. > > It's only going to get worse. Reporting is going to increase and threats are > going to apply to far more products inheriting the same code. What's the > best, most scalable way of dealing with this? Anyone have any ideas on that > one? > > > > On Tue, Apr 15, 2008 at 10:20 AM, Luigi Auriemma <[EMAIL PROTECTED]> > wrote: > > > > Autonomy Keyview Folio Flat File Parsing Buffer Overflows > > > Autonomy Keyview Applix Graphics Parsing Vulnerabilities > > > Autonomy Keyview EML Reader Buffer Overflows > > > activePDF DocConverter Folio Flat File Parsing Buffer Overflows > > > activePDF DocConverter Applix Graphics Parsing Vulnerabilities > > > Lotus Notes Applix Graphics Parsing Vulnerabilities > > > Lotus Notes Folio Flat File Parsing Buffer Overflows > > > Lotus Notes EML Reader Buffer Overflows > > > Lotus Notes kvdocve.dll Path Processing Buffer Overflow > > > Lotus Notes htmsr.dll Buffer Overflows > > > Symantec Mail Security Folio Flat File Parsing Buffer Overflows > > > Symantec Mail Security Applix Graphics Parsing Vulnerabilities > > > > 12 mails for the same library? > > > > >From what I have understood all the bugs are just in this Autonomy > > Keyview library so in my opinion reporting the same identical bugs in > > each software which uses this thirdy part component and additionally > > without saying that the problem in reality is in the library is wrong > > and leads to a lot of confusion. > > > > It's just like if someone finds a bug in zlib and releases 1 > > advisories, one for each program in the world which uses the library... > > the bug is not in these 1 programs but only in zlib. > > > > > > --- > > Luigi Auriemma > > http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secunia Research: Lotus Notes Folio Flat File Parsing Buffer Overflows
Its not always easy to know what libs all of your apps are using. Unless of course you're managing a small set of systems, have a lot of time, or are particularly godlike at what you do. I think it's great that they identify the software using it. Frankly, if I'm in an enterprise environment running Lotus for some god awful reason, that's going to get my attention more than one of its libraries. Yes, it does inflate their stats on number of vuln advisories published in a year, but whatever - I don't care about that. What's the better way to deal with it? Try and push one advisory listing 1000 apps affected in its content? Even then, you're not going to have a accurate list. I think it -is- better to publish one advisory per affected piece of software. When I'm skimming the 100 or so that hit my inbox every day, I don't have the luxury of opening each one. Unfortunate, but that's reality of most security staff. It's only going to get worse. Reporting is going to increase and threats are going to apply to far more products inheriting the same code. What's the best, most scalable way of dealing with this? Anyone have any ideas on that one? On Tue, Apr 15, 2008 at 10:20 AM, Luigi Auriemma <[EMAIL PROTECTED]> wrote: > > Autonomy Keyview Folio Flat File Parsing Buffer Overflows > > Autonomy Keyview Applix Graphics Parsing Vulnerabilities > > Autonomy Keyview EML Reader Buffer Overflows > > activePDF DocConverter Folio Flat File Parsing Buffer Overflows > > activePDF DocConverter Applix Graphics Parsing Vulnerabilities > > Lotus Notes Applix Graphics Parsing Vulnerabilities > > Lotus Notes Folio Flat File Parsing Buffer Overflows > > Lotus Notes EML Reader Buffer Overflows > > Lotus Notes kvdocve.dll Path Processing Buffer Overflow > > Lotus Notes htmsr.dll Buffer Overflows > > Symantec Mail Security Folio Flat File Parsing Buffer Overflows > > Symantec Mail Security Applix Graphics Parsing Vulnerabilities > > 12 mails for the same library? > > >From what I have understood all the bugs are just in this Autonomy > Keyview library so in my opinion reporting the same identical bugs in > each software which uses this thirdy part component and additionally > without saying that the problem in reality is in the library is wrong > and leads to a lot of confusion. > > It's just like if someone finds a bug in zlib and releases 1 > advisories, one for each program in the world which uses the library... > the bug is not in these 1 programs but only in zlib. > > > --- > Luigi Auriemma > http://aluigi.org > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secunia Research: Lotus Notes Folio Flat File Parsing Buffer Overflows
> Autonomy Keyview Folio Flat File Parsing Buffer Overflows > Autonomy Keyview Applix Graphics Parsing Vulnerabilities > Autonomy Keyview EML Reader Buffer Overflows > activePDF DocConverter Folio Flat File Parsing Buffer Overflows > activePDF DocConverter Applix Graphics Parsing Vulnerabilities > Lotus Notes Applix Graphics Parsing Vulnerabilities > Lotus Notes Folio Flat File Parsing Buffer Overflows > Lotus Notes EML Reader Buffer Overflows > Lotus Notes kvdocve.dll Path Processing Buffer Overflow > Lotus Notes htmsr.dll Buffer Overflows > Symantec Mail Security Folio Flat File Parsing Buffer Overflows > Symantec Mail Security Applix Graphics Parsing Vulnerabilities 12 mails for the same library? >From what I have understood all the bugs are just in this Autonomy Keyview library so in my opinion reporting the same identical bugs in each software which uses this thirdy part component and additionally without saying that the problem in reality is in the library is wrong and leads to a lot of confusion. It's just like if someone finds a bug in zlib and releases 1 advisories, one for each program in the world which uses the library... the bug is not in these 1 programs but only in zlib. --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/