From owner-freebsd-security Wed Jan 16 16:19:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 28F2837B400 for ; Wed, 16 Jan 2002 16:19:17 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 4E9FA1DA7; Thu, 17 Jan 2002 01:16:18 +0100 (CET) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id g0H0G4s01259; Thu, 17 Jan 2002 01:16:04 +0100 Date: Thu, 17 Jan 2002 01:16:04 +0100 From: Krzysztof Zaraska To: "Buliwyf McGraw" Cc: freebsd-security@freebsd.org Subject: Re: gets() is unsafe (fwd) Message-Id: <20020117011604.6e5291da.kzaraska@student.uci.agh.edu.pl> In-Reply-To: References: Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 16 Jan 2002 08:56:40 -0500 (COT) Buliwyf McGraw wrote: > Kris Kennaway, and lo! it spake thus: > > > * Buliwyf McGraw [020114 14:49] wrote: > > > > > > > > Hi... i was installing several applications (php,xmms,etc) on my > > > > FreeBSD 4.4 server and i got the next message a lot of times when > > > > i was compiling: > ^^^^^^^^^ > > > > /usr/lib/compat/libc.so.3: warning: mktemp() possibly used unsafely; > > > > consider using mkstemp() > > > > /usr/lib/compat/libc.so.3: warning: tmpnam() possibly used unsafely; > > > > consider using mkstemp() > [...] > > > > No, this is a FAQ; it's a bug in the linker which causes it to trip > > > every single _warn_references() in the library when it links to libc, > > > regardless of whether the program actually uses the functions in > > > question. > > > I think it's an even better FAQ: Why, when he's compiling, is it linking > > against a compat/libc? > > Ok... i have to say that i am not an expert on FreeBSD, just a new > admin... I installed FreeBSD 4.4 on my box (in some way, "everything by > default")... and then i started to install some applications (apache,php,etc), > not with the /stand/sysinstall utility, but in the traditional way: > - Download the *.tar.gz > - Uncompress, configure, make, make install > > I expected no problems... but as you can see, the warning messages give > an "insecure" sensation. > I want to do something to avoid that messages when i try to compile a GNU > application. > Thanks for your comments and help. OK, I'm not an expert here either, but anyhow... I've been doing some FreeBSD porting/programming recently and I found that these (or similar) warning simply pop up when you use an insecure function in your code. Try compiling a 'Hello World'-like application that uses mktemp() or gets(). You'll get a warning, while the same code compiles cleanly on Linux. So it seems, that such warnings are issued every time linker hits a function that is 'tagged' as insecure. I guess this is an attempt to help programmers in secure programming :) I guess some of your programs make use of these insecure functions, so the compiler warns you about that. Of course the fact that someone used an insecure function does not necessary mean that the program is automatically insecure; everything depends on how it is used. Besides, if you are installing standard applications, why don't you go to /usr/ports and start from there? E.g. cd /usr/ports/www/apache13 && make install will install Apache for you. You'll get a version already patched for FreeBSD. Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message