[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#27050 (fdutils): A cause for security concern?

Wichert Akkerman writes:
> It might be much easier to just replace them with snprintf's.

That is what I meant when I said I know how to fix them. 
> Also check for things like strcpy()...

I'd rather trace out the input string handling than just grep for dangerous
functions.  There isn't that much of it.  The few strcpy's I found look
safe, but I can think of ways to overrun a buffer without using any
functions known to be dangerous.

> ....insecure handling of files, etc.

No files.  What there is, however, is a password being sent in a udp
packet.  I haven't finished figuring out how he handles it, but it looks
sniffable to me.
John Hasler
john@dhh.gt.org (John Hasler)
Dancing Horse Hill
Elmwood, WI

Reply to: