How Badlock was discovered and fixed

Post Syndicated from corbet original

post on the Red Hat Enterprise Linux blog
describes the discovery and
repair of the “Badlock” vulnerability. One begins to understand a little
better why it took as long as it did. “The code was rewritten; in
March 2016 the changes needed to fix all eight CVEs amounted to about 200
individual patches against a development version of Samba, with about half
of those responsible for fixing CVE-2015-5370. When backported to previous
stable Samba versions, they needed additional hundred patches. To oldest
supported Samba version — about four hundred patches. What started as an
individual snowflake became an avalanche but it wasn’t finished