Posted by Stu @ 12:46 AM, Fri 31 Dec 04
Filed under: PHP
… but sometimes there’s just nothing else to be done.
I’ve justed package masked dev-php/asp2php. This package contains two confirmed buffer overflows, which can be used to maliciously install files using the permissions of whoever runs the script. This fault was first discovered a couple of weeks ago, and is one of the now infamous 44 problems discovered and reported by D. J. Bernstein.
It’s a buffer overflow. They happen to even the best of packages. Normally the fault gets fixed, a new version comes out, and life goes on. But not in this case.
Unfortunately, the author of asp2php either doesn’t understand that it is his code which contains the fault, or he simply doesn’t care. Honestly, I don’t know which. But either way, his denial leaves Gentoo with a problem. It leaves Gentoo with three choices:
- Continue distributing the package, but warn users that it contains known security holes. Well, I’m not going to say that this should never happen, but it’s not something any responsible distribution can do regularly. There’s a trust thing between users and their Linux distributions, and part of that is being able to trust that the packages a user installs don’t contain known security holes.
- Fix the package ourselves, and (hopefully) get the patch accepted upstream. This does happen sometimes, but does Gentoo really want to be stuck having to patch a package because the original author doesn’t want to fix his own code? What’s going to happen the next time? Or the time after that?
- Remove the package, and publish a security advisory advising everyone to uninstall the package. It’s the saloon of last resort, but it’s the responsible thing to do with abandonware. An upstream package with known (and unfixed) security holes is a form of abandonware. Exploits allow machines connected to the Internet to be turned into zombies; machines used as relays to send spam (or worse) to other machines, and ultimately to me and you. Security matters, and anyone who has a cavalier attitude towards it should not be writing or selling software.