Re: OpenSSH: What went wrong?

[Theo de Raadt <deraadt@cvs.openbsd.org>]

> In some mail from Theo de Raadt, sie said:
> [...]
> > > What situations exist now (vs earlier in the project life) that might have 
> > > made it easier for something like this to happen?
> > > Is this a new kind of vulnerability, or a 'standard' one that just got missed?
> > > How has the management of the project dealt with the issue?
> > 
> > This bug was different from a technical standpoint.  It was really
> > hard to spot.  There were two bugs.  One is that it uses an int off
> > the network without checking.  But the real bug is an integer
> > overflow, and noone is looking for those yet.  The code looked safe.
> [...]
> 
> So what are you doing to prevent this sort of thing from reoccuring ?

We audit continually.  You don't help.

> What I'd expect, for starters, is quite simply that all "new" code must
> be audited before a "major" OpenSSH release is made.

This code has been under development continually, and this bug is old and
subtle.

Yet, you don't help.

> I'd also expect that in an application like OpenSSH is for all inputs to
> be checked (this one wasn't).  This new code should have been rejected
> by someone before it got into the CVS tree for OpenSSH because it was
> missing things like this.

Where is your help?

> I don't particularly like the idea that this is a "new type of overflow".

The real tricky part is arithmetic overflow.

Wait till you see what u_int vs int and > and < are going to cause.

> What that says to me is that you aren't really auditting software
> properly if these kinds of things have slipped through previous audits.

And are you helping?

> Just for something different, maybe you should get together and have an
> auditathon rather than a hackathon.

Why are you telling us to do what we already do, when you don't do any
of it?