From owner-freebsd-bugs@FreeBSD.ORG Thu Oct 13 21:46:04 2005 Return-Path: X-Original-To: freebsd-bugs@FreeBSD.org Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6263916A41F for ; Thu, 13 Oct 2005 21:46:04 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2618E43D4C for ; Thu, 13 Oct 2005 21:46:04 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 0B8351A3C28; Thu, 13 Oct 2005 14:46:04 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 7E72B5127C; Thu, 13 Oct 2005 17:46:03 -0400 (EDT) Date: Thu, 13 Oct 2005 17:46:03 -0400 From: Kris Kennaway To: Nate Eldredge Message-ID: <20051013214603.GA8244@xor.obsecurity.org> References: <200510132130.j9DLURLA071293@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="h31gzZEtNLTqOjlF" Content-Disposition: inline In-Reply-To: <200510132130.j9DLURLA071293@freefall.freebsd.org> User-Agent: Mutt/1.4.2.1i Cc: freebsd-bugs@FreeBSD.org Subject: Re: gnu/45168: Buffer overflow in /usr/bin/dialog X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Oct 2005 21:46:04 -0000 --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 13, 2005 at 09:30:27PM +0000, Nate Eldredge wrote: > The following reply was made to PR gnu/45168; it has been noted by GNATS. >=20 > From: Nate Eldredge > To: bug-followup@FreeBSD.org, saturnero@freesbie.org > Cc: daveb@optusnet.com.au, freebsd-current@cs.hmc.edu > Subject: Re: gnu/45168: Buffer overflow in /usr/bin/dialog > Date: Thu, 13 Oct 2005 14:29:43 -0700 (PDT) >=20 > libdialog appears to be brimming with bugs of this sort. Lots of uses o= f=20 > strcpy / strcat. It probably needs a complete audit. Ideally there=20 > should be no MAX_LEN and everything dynamically allocated. I hope to go= d=20 > it is never run by anything with elevated privileges. void init_dialog(void) { if (issetugid()) { errx(1, "libdialog is unsafe to use in setugid applications"); } Kris --h31gzZEtNLTqOjlF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDTtWaWry0BWjoQKURAmhKAJ4teNaphqwYwLAQBlCVJus1UJwQMgCeKDZw p0JR/qrgxHW3MB4GeDuDndY= =JahS -----END PGP SIGNATURE----- --h31gzZEtNLTqOjlF--