Date: Mon, 15 Jul 1996 23:32:43 +0200 From: Wolfram Schneider <wosch@cs.tu-berlin.de> To: Bruce Evans <bde@zeta.org.au> Cc: pst@shockwave.com, thorpej@nas.nasa.gov, CVS-committers@freefall.freebsd.org, cvs-all@freefall.freebsd.org, cvs-usrbin@freefall.freebsd.org, nate@freefall.freebsd.org Subject: Re: cvs commit: src/usr.bin/rdist defs.h docmd.c expand.c lookup.c server.c Message-ID: <199607152132.XAA00791@campa.panke.de> In-Reply-To: <199607142351.JAA10509@godzilla.zeta.org.au> References: <199607142351.JAA10509@godzilla.zeta.org.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Bruce Evans writes: >>It may be overboard, but it certainly doesn't _hurt_ :-) > >It may give a false sense of security. Thats life. You close the front door and the burglar use the window or kidnaps your children. >> > Should we disable sprintf() for sgid/suid programs? > >Why stop there? Convert all strcpy()s to snprintf()s. Hm, Paul already started ;-) Why waiting for next CERT report? We have ~77 suid/sgid programs (total ~584 programs). Of course to much s-bits. >pst 96/07/15 09:29:04 > > Modified: usr.bin/rlogin rlogin.c > Log: > Do a bounds check on the strcpy of environment variables onto the stack. > > Revision Changes Path > 1.11 +1 -1 src/usr.bin/rlogin/rlogin.c Wolfram
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607152132.XAA00791>