Re: Bad press again...

[Steve Wray <stevew-lists@catalyst.net.nz>]

Florian Weimer wrote:
> * Steve Wray:
> 
> 
>>Another example is fwbuilder which *silently* fails to overwrite its
>>generated script at compile time if the user doesn't have write
>>permissions on the existing script.
> 
> 
> Most bugs in security tools are security bugs.  We have to draw a line
> somewhere, otherwise "stable" becomes meaningless.

Actually, having followed the mozilla/firefox discussion and various
other thread on this list, I am inclined to believe that the concept of
a "stable" distribution in the modern internet/open source environment
is already meaningless.

>>I view this as a security problem because what if you *think* you've
>>made changes to your firewall and are now protected only... you arn't
>>and the firewall hasn't been updated?
>>
>>Is that enough of a security problem for the fix to get into stable?
> 
> 
> The underlying problem seems to be that fwbuilder does not provide
> means to test a configuration after it has been applied to the system.
> Such tests would catch a more general class of problems, and not just
> some isolated file system problem.

Not quite.

When the fwbuilder application tries to write to the file, it fails.
This exception doesn't appear to be handled by anything at all and hence
the silent failure to write to the file.

The issue of actually testing firewall configurations is a whole 'nother
problem.