Savannah, SQL Injection, Passwords, and Security Posture

[Jeffrey Walton]

Hi All,

According to http://savannah.gnu.org/, the server was down for a few
days due to a SQL Injection. Because the server did not properly
sanitize its data, the password database was compromised.

Today, I tried to change my  password to a similar password.
Surprisingly, the change was rejected because the password was too
similar. The "surprising" part is it appears GNU is storing passwords
in plain text.

I'm going out on the limb and guessing that free software stored the
passwords in the plain text. "Password Security: A Case History" by
Morris and Thompson was written in the 1970s. Sadly, GNU has totally
punned lessons learned in the past.

The GnuTLS project happily uses dangerous string function. Use of the
functions appears unaudited, suffering unchecked buffer overflows and
truncations. In fact, the project took a buffer overflow report today
due to a call to sprintf. Sadly, GNU has totally punned lessons
learned in the past (again).

Would someone be able to provide GNU's policy regarding application
security and proper use of cryptography in GNU projects. "GNU Coding
Standards" (http://www.gnu.org/prep/standards/standards.html) does not
address anything security related. I'm very interested in learning
about GNU's security posture.

Jeff