Re: Bug#27050 (fdutils): A cause for security concern?

To: debian-devel@lists.debian.org
Subject: Re: Bug#27050 (fdutils): A cause for security concern?
From: John Hasler <john@dhh.gt.org>
Date: 21 Jan 1999 22:00:54 -0600
Message-id: <[🔎] 874spkneh5.fsf@hasler.dhh>
In-reply-to: Wichert Akkerman's message of "Fri, 22 Jan 1999 01:52:22 +0100"
References: <[🔎] 19990119164337.B6726@visi.net> <[🔎] 19990119171601.C15042@worldvisions.ca> <[🔎] 19990120141859.A3200@sacrifice> <[🔎] 87lniyps8k.fsf@hasler.dhh> <[🔎] 19990120175736.B6715@worldvisions.ca> <[🔎] 87sod5o4ha.fsf@hasler.dhh> <[🔎] 19990121021927.C2907@cs.leidenuniv.nl> <[🔎] 87k8yhnxh5.fsf@hasler.dhh> <[🔎] 19990121151154.A30235@cs.leidenuniv.nl> <[🔎] 87emoooa0t.fsf@hasler.dhh> <[🔎] 19990122015222.A571@cs.leidenuniv.nl>

Wichert Akkerman writes:
> It might be much easier to just replace them with snprintf's.

That is what I meant when I said I know how to fix them. 

> Also check for things like strcpy()...

I'd rather trace out the input string handling than just grep for dangerous
functions.  There isn't that much of it.  The few strcpy's I found look
safe, but I can think of ways to overrun a buffer without using any
functions known to be dangerous.

> ....insecure handling of files, etc.

No files.  What there is, however, is a password being sent in a udp
packet.  I haven't finished figuring out how he handles it, but it looks
sniffable to me.
-- 
John Hasler
john@dhh.gt.org (John Hasler)
Dancing Horse Hill
Elmwood, WI

Reply to:

References:
- Re: Bug#27050 (fdutils): A cause for security concern?
  - From: Ben Collins <bmc@visi.net>
- Re: Bug#27050 (fdutils): A cause for security concern?
  - From: Avery Pennarun <apenwarr@worldvisions.ca>
- Re: Bug#27050 (fdutils): A cause for security concern?
  - From: Robert Donn <squirk@ihug.co.nz>
- Re: Bug#27050 (fdutils): A cause for security concern?
  - From: John Hasler <john@dhh.gt.org>
- Re: Bug#27050 (fdutils): A cause for security concern?
  - From: Avery Pennarun <apenwarr@worldvisions.ca>
- Re: Bug#27050 (fdutils): A cause for security concern?
  - From: John Hasler <john@dhh.gt.org>
- Re: Bug#27050 (fdutils): A cause for security concern?
  - From: Wichert Akkerman <wakkerma@cs.leidenuniv.nl>
- Re: Bug#27050 (fdutils): A cause for security concern?
  - From: John Hasler <john@dhh.gt.org>
- Re: Bug#27050 (fdutils): A cause for security concern?
  - From: Wichert Akkerman <wakkerma@cs.leidenuniv.nl>
- Re: Bug#27050 (fdutils): A cause for security concern?
  - From: John Hasler <john@dhh.gt.org>
- Re: Bug#27050 (fdutils): A cause for security concern?
  - From: Wichert Akkerman <wakkerma@cs.leidenuniv.nl>

Prev by Date: Re: Intent to package rolldice, blackjack
Next by Date: Re: Intent to package rolldice, blackjack
Previous by thread: Re: Bug#27050 (fdutils): A cause for security concern?
Next by thread: Re: Bug#27050 (fdutils): A cause for security concern?
Index(es):
- Date
- Thread