About Archive Tags RSS Feed


I still got the blues for you

11 January 2008 21:50

Been a week since I posted. I've not done much, though I did complete most of the migration of my planet-searching code to gluck.debian.org.

This is now logging to a local SQLite database, and available online.

I've updated the blog software so that I can restrict comments to posts made within the past N days - which has helped with spam.

My other comment-spam system is the use of the crm114 mail filter. I have a separate database now for comments (distinct from that I use for email), and after a training on previous comments all is good.

Other than being a little busy over the past week life is good. Especially when I got to tell a recruitment agent that I didn't consider London to be within "Edinburgh & Surrounding Region". Muppets.

The biggest downside of the week was "discovering" a security problem in Java, which had been reported in 2003 and is still unfixed. Grr. (CVE-2003-1156 for those playing along at home).

Heres the code:

#  Grep for potentially unsafe /tmp usage in shared libraries

find /lib -name '*.so' -type f -print > /tmp/$$
find /usr/lib -name '*.so' -type f -print >> /tmp/$$
for i in $(cat /tmp/$$ ); do
    out=$(strings $i | grep '/tmp')
    if [ ! -z "$out" ]; then
        echo "$i"
        echo "$out"
rm /tmp/$$



Comments on this entry

icon Justin at 01:08 on 12 January 2008
heh, isn't that script technically using /tmp in an unsafe way? :)
icon Steve at 12:43 on 13 January 2008


Still it was executed upon a machine with myself as the only user so it's not too bad!

icon Alex at 20:15 on 13 January 2008
So now Steve's on the case we can expect that Java bug to get nailed, after almost 5 years of being open? :P
icon Anonymous at 00:25 on 15 January 2008

Steve: Still, you have to appreciate the irony. :) I personally think many temp file vulnerabilities arise this way: someone writes a script with bad temp file usage, figuring it doesn't matter, then nobody fixes it when the script becomes more popular and widely used.

By the way, your comment form has an annoying feature: if you submit without filling out the email field, it removes the form, replaces it with a note saying "missing fields", and provides no way to get the form back to correct it. If my browser did not keep form data around when I refreshed (or if your site broke that as many sites do), I would have lost the text of my comment.