Savannah, SQL Injection, Passwords, and Security Posture

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Dec 5 10:54:22 CET 2010 

On 12/02/2010 09:34 PM, Jeffrey Walton wrote:

> According to http://savannah.gnu.org/, the server was down for a few 
> days due to a SQL Injection. Because the server did not properly 
> sanitize its data, the password database was compromised. Today, I 
> tried to change my  password to a similar password. Surprisingly, the
> change was rejected because the password was too similar. The 
> "surprising" part is it appears GNU is storing passwords in plain 
> text. I'm going out on the limb and guessing that free software 
> stored the passwords in the plain text. "Password Security: A Case 
> History" by Morris and Thompson was written in the 1970s. Sadly, GNU
>  has totally punned lessons learned in the past.

GNU is a big organization, with different people, and maybe some common
policies. About security policies you might want to contact the gnu
maintainers mailing list, or some other internal list. My relation with
FSF and GNU is only the fact that GNUTLS is part of GNU, and I
transferred copyright to FSF. I'm not actively involved organizationally.

> The GnuTLS project happily uses dangerous string function. Use of
> the functions appears unaudited, suffering unchecked buffer overflows
> and truncations. In fact, the project took a buffer overflow report
> today due to a call to sprintf.

I thought you were familiar with the gnutls internals. In any case,
GnuTLS uses its own string functions, internally, which have no issues
related to buffer overflows. The only cases where we use the libc
functions, such as snprintf and friends, is when the strings are static,
and will not exceed the given buffers. If you have some example where
this is not case please report it (I already explained that in a
previous e-mail).

If you are referring to overflow of the test program gnutls-serv, I
wouldn't care that much. It is a testing program, not one expected to be
run in a non-developer's PC.

> Sadly, GNU has totally punned lessons learned in the past (again).

Please don't confuse me, with GNU.

regards,
Nikos

More information about the Gnutls-devel mailing list