Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerabilities Found (and Sought) In More Command-Line Tools

Posted by timothy on from the one-thing-at-a-time dept.

itwbennett writes The critical Shellshock vulnerabilities found last month in the Bash Unix shell have motivated security researchers to search for similar flaws in old, but widely used, command-line utilities. Two remote command execution vulnerabilities were patched this week in the popular wget download agent and tnftp client for Unix-like systems [also mentioned here]. This comes after a remote code execution vulnerability was found last week in a library used by strings, objdump, readelf and other command-line tools.

9 of 87 comments (clear)

  1. great news by Anonymous Coward · · Score: 5, Interesting

    hopefully any remaining bugs will be found and we end up with better products

  2. tnftp by Anonymous Coward · · Score: 5, Informative

    From one of the referenced articles:

    Tnftp is a cross-platform port of the original BSD FTP client. It is the default FTP client in NetBSD, FreeBSD, DragonFly BSD and Mac OS X, but it is also available in many Linux distributions.

    The tnftp package shipped with OpenBSD is not vulnerable due to some changes made to the code some time ago

    It's almost like the OpenBSD team knows what they're doing when it comes to security.

    1. Re:tnftp by MrBingoBoingo · · Score: 4, Insightful

      Well the difference is... reading, and reading is nothing if not for rereading. A billion, thousand, or even three eyes mean nothing if they're aimed at cat videos. Instead of reineventing every API to keep it fresh a la the GNOME model, to get actual tools you have to instead make sure what you're already working with... works.

  3. Am I paranoid? by BlackPignouf · · Score: 4, Interesting

    I don't know if I'm being paranoid, but I'm pretty sure there are backdoors in every major open source project : gcc, the linux kernel, ssh, gpg and bash to name a few.
    They've been either actively introduced by NSA/FSB/... or found and jealously kept secrets.
    It's not like recent history has proven this theory wrong. :-/

    1. Re:Am I paranoid? by Anonymous Coward · · Score: 4, Insightful

      It's not like your "theory" is falsifiable, either.

  4. For all the idiots by mcrbids · · Score: 5, Insightful

    ... to the masses of sarcastic "I though Open Source was more secure!" crowd: in an Open Source forum, when vulnerabilities are found, they are patched. Since it's a public forum, the vulnerabilities are disclosed, and patches / updates made available. The poor, sorry state of the first cut gets rapidly and openly improved.

    With closed source, the vulnerabilities merely stay hidden and undisclosed, and you have no ability to know about it, or fix it yourself. the poor, sorry state of the first cut never improves. Yes, there are some cultures that take security seriously. You have no way of knowing.

    This, right here, is what "more secure" looks like: public notification of the vulnerabilities and patches to distribute.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
    1. Re:For all the idiots by chipschap · · Score: 4, Insightful

      Here we go again, more "proof" for the "see I told you Windows is better" crowd.

  5. Re:what happened to obscurity by Zero__Kelvin · · Score: 4, Informative

    In Open Source vernacular, we call that becoming more and more secure :-)

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  6. Re:Vulnerabilities Found (and Sought) In MS Window by Bite+The+Pillow · · Score: 4, Informative

    What the hell is wrong with the title exactly? Shellshock made people realize that open source should be reviewed, especially in things that haven't changed much lately.

    With that approach, they found a few problems, patched them, and continue to look for more. It's not well written, but that's expected.

    Defend.