Re: OpenSSH: What went wrong?

[Darren Reed <avalon@coombs.anu.edu.au>]

In some mail from Theo de Raadt, sie said:
[...]
> > What situations exist now (vs earlier in the project life) that might have 
> > made it easier for something like this to happen?
> > Is this a new kind of vulnerability, or a 'standard' one that just got missed?
> > How has the management of the project dealt with the issue?
> 
> This bug was different from a technical standpoint.  It was really
> hard to spot.  There were two bugs.  One is that it uses an int off
> the network without checking.  But the real bug is an integer
> overflow, and noone is looking for those yet.  The code looked safe.
[...]

So what are you doing to prevent this sort of thing from reoccuring ?

What I'd expect, for starters, is quite simply that all "new" code must
be audited before a "major" OpenSSH release is made.

I'd also expect that in an application like OpenSSH is for all inputs to
be checked (this one wasn't).  This new code should have been rejected
by someone before it got into the CVS tree for OpenSSH because it was
missing things like this.

I don't particularly like the idea that this is a "new type of overflow".

What that says to me is that you aren't really auditting software
properly if these kinds of things have slipped through previous audits.

Just for something different, maybe you should get together and have an
auditathon rather than a hackathon.