Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

Why not? This weird complaint has been happening since ~2010 and it has never made any sense. You are strictly better off with the website than without it. When it was vulnerability researchers getting all peevish about the status competition they were running, I at least understood where the complaint was coming from, but even among practitioners, branded vulnerabilities are so much the norm at this point that there's no status implication anymore.
 help



> You are strictly better off with the website than without it.

Why? This is a better resource in every way: https://cgit.freebsd.org/src/commit/?id=000d5b52c19ff3858a6f...

It details the actual problem instead of showing off tired stack exploit tricks.

reply


No, that commit log is obviously not better than the page explaining the vulnerability and the exploit vectors.

Case in point: what's "tired" about the stack exploitation techniques they're using here?

And, while you're not right, even stipulating that you were, what would that matter? How is anyone better off with less explanation of a vulnerability?

reply


The website explains an exploit. I've seen exploits before. The commit explains the unique issue.

I'm more interested in the why than the how.

I suppose people with different overall goals will see that differently.

reply


You didn't answer my question. What's "tired" about the exploit technique here?

reply


Is that even the fix though? The problem sizeof*groups expression has already been removed by that point. This fixes something but it's not obviously related to the vulnerability description.

git log -S suggests 4cd93df95e697942adf0ff038fc8f357cbb07cf9, which looks more likely: https://cgit.freebsd.org/src/commit/?id=4cd93df95e697942adf0... - though not to say you don't want the later commit too. I'm sure you do.

reply




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: