Date: Wed, 05 Feb 1997 16:09:08 -0500 From: Dan Cross <tenser@spitfire.ecsel.psu.edu> To: Karl Denninger <karl@mcs.net> Cc: security@freebsd.org Subject: Re: PATCH for *ALL* FreeBSD Setlocale() problems - EVERYONE SHOULD READ THIS MESSAGE Message-ID: <19970205210908.417.qmail@spitfire.ecsel.psu.edu> In-Reply-To: Your message of "Wed, 05 Feb 1997 14:06:13 CST." <199702052006.OAA11778@Jupiter.Mcs.Net>
next in thread | previous in thread | raw e-mail | index | archive | help
> I will EXPECT that these will show up in the CVS tree within 48 hours > unless there are VERY good reasons expressed for them not being included. > I WILL be looking for them to appear. Well, for -current, they are somewhat unnecessary. I made a complete fool out of myself last night on freebsd-bugs, thus implicitly demons- trating this. :-) Remember, folks, not *all* calls to strcpy() are bad; sometimes range checking can be accomplished in non-intuitive ways. I expect that just back-porting the code from -current into 2.1 and 2.2 will be enough to solve the problem. However, if I am incorrect and you have an exploit that runs against -current, please let me know, as I would like to see where the error lies. However, I poured over the -current code last night, and while I agree that it needs a bath, I'm pretty certain that it's secure. Thanks! - Dan C. (...whose actually gotten some sleep now, and isn't so quick to make stupid mistakes in his trains of thought... :-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970205210908.417.qmail>