From owner-freebsd-ports  Tue Jul 24 11:40: 7 2001
Delivered-To: freebsd-ports@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 02FB137B405
	for <freebsd-ports@hub.freebsd.org>; Tue, 24 Jul 2001 11:40:02 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.4/8.11.4) id f6OIe1Y15114;
	Tue, 24 Jul 2001 11:40:01 -0700 (PDT)
	(envelope-from gnats)
Date: Tue, 24 Jul 2001 11:40:01 -0700 (PDT)
Message-Id: <200107241840.f6OIe1Y15114@freefall.freebsd.org>
To: freebsd-ports@FreeBSD.org
Cc: 
From: John Merryweather Cooper <jmcoopr@webmail.bmi.net>
Subject: Re: ports/29112: Potential security issues in Balsa & Encompass
Reply-To: John Merryweather Cooper <jmcoopr@webmail.bmi.net>
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ports.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ports>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ports>
X-Loop: FreeBSD.org

The following reply was made to PR ports/29112; it has been noted by GNATS.

From: John Merryweather Cooper <jmcoopr@webmail.bmi.net>
To: freebsd-gnats-submit@FreeBSD.org, quik@quikbox.ca
Cc:  
Subject: Re: ports/29112: Potential security issues in Balsa & Encompass
Date: Tue, 24 Jul 2001 11:36:42 -0700

 Well, the problem is NOT in any of Balsa's source code.  I've grepped, 
 eye-balled, head-banged, etc. the entire source code and I can conclude:
 
 1) setkey(3), des_setkey(3), encrypt(3), and des_cipher(3) reside in 
 libcipher--correct me if I'm wrong, but this is a US-only library (at
 least legally).  Since S/MIME is not currently implemented (but there
 are plans to do so for Balsa), lacking these functions produces the
 warnings--but does not appear to affect function--
 
 2) mktemp() is not used anywhere in Balsa.  Balsa "rolls it's own"
 mktemp which resides in libmutt.  There maybe a performance advantage
 to using mkstemp() as a replacement (I will verify this)--
 
 3) gets() is not used anywhere in Balsa--fgets() is properly used
 instead--
 
 4) tmpnam() and tempnam() are not used anywhere in Balsa--all temp
 files appear to be generated using the libmutt "roll it's own"
 mktemp() replacment--
 
 Conclusion:  the gets(), mktemp(), tmpnam(), and tempnam() warnings
 appear to come as a result of support code from outside Balsa.  I
 haven't isolated which modules, yet . . .
 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message