Reasons for bugs being introduced with security fixes

Posted on July 31, 2009 by Marcus.

This posting is mainly addressing TYPO3 extensions.


If you are using TYPO3 extension CoolURI and you've followed the TYPO3 Security Team's advice to upgrade in latest advisory (TYPO3-SA-2009-010), you might notice problems with calling a website without parameters.

I'm picking this specific issue to explain why such problems happen from time to time.

 

If you already had to deal with the TYPO3 Security Team, you might remember we are stressing that a small numbers of rules are being followed. Important ones are:

  • Do only least necessary modifications to the code to fix a vulnerability!
  • Do only integrate security modifications in the new extension version that is going to be uploaded to the TER - no normal bugfixes, no new features.

With these rules we're trying to make sure that every TYPO3 user is able to upgrade/install the new extension version. In a perfect world users won't recognize any change to the previous version - only a security hole would be closed.

So why bugs still appear although such rules are in place?

  • Once being informed, extension developers on their own fix a vulnerability and upload the new extension version without further communication/discussion/consulting with the TYPO3 Security Team.
  • Extension developers aren't reading our mails and are sneaking in further non-security related code changes with the newly released extension version.
  • Security fixes might have side effects. With a complex extension the Security Team is unable to test every functionality the extension is providing.
  • Humans do make errors.

We're basically depending on the goodwill of extension developers and hope that they understand their extensions and have well-tested their security-fix in the scope of the complete extension. We make sure that the reported vulnerability is fixed.

I hope you understand and accept the above mentioned reasons for such bugs. We're doing our best to prevent these bugs. Please do never hesitate to follow our advices in TYPO3 Security bulletins - you would risk a compromised TYPO3 installation.

 

Btw., the CoolURI issue happened because the extension developer did not only fix the security vulnerability but also integrated further code changes and did the fixing on his own.

Permalink | Trackback link
Tags:  TYPO3 Security Blog
Views: 0
  •  
  • 0 Comment(s)
  •  

Your comment

back

Categories

  • advisory(7)
  • book(1)
  • [-]database(1)
  • exploit(1)
  • hacks(2)
  • others(6)
  • PHP(1)
  • TYPO3(22)

Tag cloud