[vlc-devel] Re: code security audit: you can help
Jean-Paul Saman
saman at natlab.research.philips.com
Mon Oct 6 09:45:25 CEST 2003
Sam Hocevar wrote:
>
> 3. That's not all, folks
> --------------------------
>
> Of course this is not perfect. For instance, we don't know how the
> libraries we use will behave when given corrupted data, and we cannot
> ultimately trust their authors for doing the checks, so maybe we will
> need to audit external code as well. But let us first sweep in front of
> our own door!
>
> For those who have time, I suggest reading the Secure Programming
> HOWTO [2], which is pretty big but has a lot of sections that directly
> apply to VLC.
>
> There may also be design issues that will not be spotted with such a
> keyhole review, such as race conditions. Or what happens if a webpage
> contains a "vlc:quit" target, or something even nastier? However I
> haven't thought about them yet, so it will be another dicussion. If you
> have more ideas, please comment!
>
>
> [1] http://lists.insecure.org/lists/bugtraq/2003/Sep/0003.html
> [2] http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/index.html
Here are another sites that gives usefull information about secure
programming:
http://www.secureprogramming.com/
http://tldp.org/HOWTO/Secure-Programs-HOWTO/index.html
--
Kind greetings,
Jean-Paul Saman
--
This is the vlc-devel mailing-list, see http://www.videolan.org/vlc/
To unsubscribe, please read http://developers.videolan.org/lists.html
If you are in trouble, please contact <postmaster at videolan.org>
More information about the vlc-devel
mailing list