[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Lack of update information

Kevin Kofler wrote:
diff -Nur foo-old foo-new
and you'll see fairly quickly what they fixed. (And it's also trivial for a
cracker to do that, so it's utterly pointless to try withholding
information that way.)

I disagree.

I recently fixed something that could be considered "denial of service" in a program I maintain. The patch basically replaces some instances of "foo=object; object.incrementRefCount();' with 'foo=object.clone();'. I'd challenge you to figure out from just that how to exploit the problem, whereas the bug report might contain a detailed description of what you had to do, how the timing has to work out, and exactly what effect would be seen.

There's a difference between having to engineer an exploit from the patch (especially if even the commit is vaguely worded), and having full documentation on the problem and its cause.

Please do not quote my e-mail address unobfuscated in message bodies.
find / -user your -name base -print0 | xargs -0 chown us:cats -- Unknown

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]