On Thu, Apr 17, 2008 at 11:05:25PM +0200, Moritz Muehlenhoff wrote:
brian m. carlson wrote:There may be more. I have gone through the code as thoroughly as I could, but the code is barely legible and uses lots of fixed-sized buffers. For these reasons, it is my recommendation that acon not be included in a stable release.Ack, this package should only be included in Lenny after a complete review by a member of the Debian audit team and communication with upstream to make sure such errors won't be re-introduced in later development.
I am subscribed to debian-audit, and we were requested to provide an audit, which I did. My recommendation stands. It's very difficult to audit the code, which is why I can't be sure I haven't missed something.
The fixed size buffers used in one part of the code are passed around to other parts of the code, and it seems that nobody but upstream has memorized all the constants. I saw very few uses of sizeof(buf) where that would have been appropriate, magic numbers (some buffer sizes) sprinkled throughout the code, and heavy use of strcpy and sprintf.
-- brian m. carlson / brian with sandals: Houston, Texas, US +1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
