• Latest
1000 Eyes That Don’t Want To Check Open-source Code

1000 Eyes That Don’t Want To Check Open-source Code

December 17, 2021
Nintendo Showcases Some Slick New Hairstyles For Splatoon 3

Nintendo Showcases Some Slick New Hairstyles And Eyebrows For Splatoon 3

June 29, 2022
10 Worst Handheld Consoles Of All Time

10 Worst Handheld Consoles Of All Time

June 29, 2022
Samsung Galaxy XCover6 Pro official with 5G connectivity and removable back

Samsung Galaxy XCover6 Pro official with 5G connectivity and removable back

June 29, 2022
Performance Tuning Strategies for SQL Server Index

Performance Tuning Strategies for SQL Server Index

June 29, 2022
Developers compare Meta to Apple, accuse it of hypocrisy

Developers compare Meta to Apple, accuse it of hypocrisy

June 29, 2022
Exclusive First Look At Atari 50: The Anniversary Celebration

Exclusive First Look At Atari 50: The Anniversary Celebration

June 29, 2022
Skull & Bones Appears to Be Arriving in November

Skull & Bones Appears to Be Arriving in November

June 29, 2022
Return To Monkey Island Might Be The Last Game In The Series

Return To Monkey Island Might Be The Last Game In The Series

June 29, 2022
Delete TikTok from app stores, says FCC commissioner

Delete TikTok from app stores, says FCC commissioner

June 29, 2022
Rhythm Arcade Game ‘Loud’ Takes You From The Basement To The Big Stage This July

Rhythm Arcade Game ‘Loud’ Takes You From The Basement To The Big Stage This July

June 29, 2022
Overwatch 2 drops gameplay trailer showcasing Junker Queen

Overwatch 2 beta now live

June 29, 2022
Using blurs and motion to be creative in photography

Using blurs and motion to be creative in photography

June 29, 2022
Advertise with us
Wednesday, June 29, 2022
Bookmarks
  • Login
  • Register
GetUpdated
  • Home
  • Game Updates
    • Mobile Gaming
    • Playstation News
    • Xbox News
    • Switch News
    • MMORPG
    • Game News
    • IGN
    • Retro Gaming
  • Tech News
    • Apple Updates
    • Jailbreak News
    • Mobile News
  • Software Development
  • Photography
  • Contact
    • Advertise With Us
    • About
No Result
View All Result
GetUpdated
No Result
View All Result
GetUpdated
No Result
View All Result
ADVERTISEMENT

1000 Eyes That Don’t Want To Check Open-source Code

December 17, 2021
in Software Development
Reading Time:3 mins read
0 0
0
Share on FacebookShare on WhatsAppShare on Twitter


There’s a myth that open-source software is better and safer than a closed one. This was reasonably questioned many times. People regularly find epic vulnerabilities in the open-source code. These vulnerabilities have been there for a long time. I think the project quality depends on how the development managers arrange the process and what methodologies/tools are used. It has nothing to do with the project being open source or closed source.

However, this myth is still alive. People believe that a thousand eyes can inspect the code, and someone will find an error. I think you’ve got the idea.

As a PVS-Studio developer who found thousands of bugs in open-source projects, I am very skeptical about that. First, I doubt that someone is actually looking for errors and vulnerabilities. Second, being just this person, I can say that often developers don’t care about these efforts. They may not be interested in the project’s quality and reliability. They are interested in new features or something else, not the potential problems and security defects.

Authors of open-source projects ignored or put on the top shelf of many of my bug reports. Do you want proof? Here. Today I have a perfect example.

I was prompted to write this mini note by an unexpected message from the Samba project bug tracker. At first, I didn’t understand what kind of message it was but as it turns out the developers got to the bug report I left 9 years ago! Bug 9320 — PVS-Studio.

9 years illustration

For nine years they ignored bugs in their project. For nine years they ignored the fact that their project has old versions of libraries with potential vulnerabilities like CWE-14. Even now (while I’m writing this note) the code has dangerous memset calls. Here, for example:

static void
md_result(MD_CTX * ctx, unsigned char *dst)
{
  SHA256_CTX tmp;

  memcpy(&tmp, ctx, sizeof(*ctx));
  SHA256_Final(dst, &tmp);
  memset(&tmp, 0, sizeof(tmp));
}

Or here:

static void
calc(struct md2 *m, const void *v)
{
  unsigned char x[48], L;
  const unsigned char *p = v;
  int i, j, t;

  ....
  memcpy(m->state, x, 16);
  memset(x, 0, sizeof(x));
}

The compiler deletes these memset calls, and the private data will remain in memory. If you want to dive into this topic, you can read “Safe clearing of private data“.

Maybe these bugs and security defects do not pose any real threat. But we’re talking about another thing. The project developers don’t care. Third-party developers don’t care either. No one wants to search for and fix the bugs although static analyzers like PVS-Studio easily find them. No one wants to fix the bugs reported in bug reports.

I blew off the steam. I’m feeling better. Thanks for reading it :). Now I can refer to this note when someone says that open-source code is safer.



Source link

ShareSendTweet
Previous Post

Samsung Galaxy S22 Note – Unboxing And First Look

Next Post

Silent Hill Creator Reveals New Slitterhead Details, Including Gameplay, Horror Style, Setting and More

Related Posts

Performance Tuning Strategies for SQL Server Index

June 29, 2022
0
0
Performance Tuning Strategies for SQL Server Index
Software Development

An optimized approach to indexing is important if you are keen to keep the performance of an SQL Server instance...

Read more

Reactive Kafka With Streaming in Spring Boot

June 29, 2022
0
0
Reactive Kafka With Streaming in Spring Boot
Software Development

The AngularAndSpring project uses Kafka for the distributed sign-in of new users and the distributed token revocation for logged-out users....

Read more
Next Post
Silent Hill Creator Reveals New Slitterhead Details, Including Gameplay, Horror Style, Setting and More

Silent Hill Creator Reveals New Slitterhead Details, Including Gameplay, Horror Style, Setting and More

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

© 2021 GetUpdated – MW.

  • About
  • Advertise
  • Privacy & Policy
  • Terms & Conditions
  • Contact

No Result
View All Result
  • Home
  • Game Updates
    • Mobile Gaming
    • Playstation News
    • Xbox News
    • Switch News
    • MMORPG
    • Game News
    • IGN
    • Retro Gaming
  • Tech News
    • Apple Updates
    • Jailbreak News
    • Mobile News
  • Software Development
  • Photography
  • Contact
    • Advertise With Us
    • About

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?