Re: Bug#27050 (fdutils): A cause for security concern?
Wichert Akkerman writes:
> It might be much easier to just replace them with snprintf's.
That is what I meant when I said I know how to fix them.
> Also check for things like strcpy()...
I'd rather trace out the input string handling than just grep for dangerous
functions. There isn't that much of it. The few strcpy's I found look
safe, but I can think of ways to overrun a buffer without using any
functions known to be dangerous.
> ....insecure handling of files, etc.
No files. What there is, however, is a password being sent in a udp
packet. I haven't finished figuring out how he handles it, but it looks
sniffable to me.
--
John Hasler
john@dhh.gt.org (John Hasler)
Dancing Horse Hill
Elmwood, WI
Reply to: