[Asterisk-Users] Broadvoice asterisk patch

Michael Giagnocavo mgg-digium at atrevido.net
Wed Nov 10 14:39:22 MST 2004


>> If you're joking, :).
>> 
>> If you're serious, go read a primer on security. 
>> 
>> Do you patch your kernel the same way? 
>
>No. I was speaking of THAT patch.
>that one is not so difficult, imho.
>
>a more difficult one, of course, must be
>understood before. or let someone that can
>do for you.
>
>Is not a binary file, don't you agree???

I'll agree it's not a compiled binary. Sure. That's more factual than
anything.

I don't agree that it is any good, because I don't trust most people (myself
included) to 100% understand and verify a patch, especially a patch with
malicious intent. 

How hard would it be to patch something in the sip channel that allows a
buffer to be overrun? It could easily be crafted as an accident. A lot of
devs say "oh, they used strncat, so it can't overflow". A lot of users can't
even read C.

So, by saying it's so easy to verify the patch and that this kind of
behaviour is acceptable is saying that you never miss a security hole.
That's quite a claim.

-Michael





More information about the asterisk-users mailing list