From owner-freebsd-audit Fri Aug 11 22:33:22 2000 Delivered-To: freebsd-audit@freebsd.org Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 0CFDA37BB01; Fri, 11 Aug 2000 22:32:57 -0700 (PDT) (envelope-from green@FreeBSD.org) Date: Sat, 12 Aug 2000 01:32:38 -0400 (EDT) From: Brian Fundakowski Feldman X-Sender: green@green.dyndns.org To: Kris Kennaway Cc: audit@freebsd.org Subject: Re: Fuzz testing In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 31 Jul 2000, Kris Kennaway wrote: > For example: > > a2p.core as.core csh.core flex++.core flex.core sh.core I've been tracking down sh.core, because I consider this very important. The shells _must_ be secure, and "crashing" bugs certainly don't make them seem so. In the sh(1) case, it crashes on input of control characters. This wouldn't be a problem normally, because there is tons of code in sh(1) that is made to support escaping all evil control characters in the input. However, Martin Cracauer seems to think making it 8-bit clean is done by not escaping the control characters :-( I have no idea how you would believe that control characters are "okay" to leave unescaped "just because" they're used by a character set, and indeed that should be all the more reason to make sure they're properly escaped. This needs a hell of a lot of reversion to fix. Yes, I think this probably security implications :-( -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message