From owner-freebsd-security Wed Feb 5 13:10:18 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA12100 for security-outgoing; Wed, 5 Feb 1997 13:10:18 -0800 (PST) Received: from spitfire.ecsel.psu.edu (spitfire.ecsel.psu.edu [146.186.218.51]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id NAA12051 for ; Wed, 5 Feb 1997 13:09:45 -0800 (PST) Received: (qmail 418 invoked by uid 1000); 5 Feb 1997 21:09:08 -0000 Message-ID: <19970205210908.417.qmail@spitfire.ecsel.psu.edu> To: Karl Denninger cc: security@freebsd.org Subject: Re: PATCH for *ALL* FreeBSD Setlocale() problems - EVERYONE SHOULD READ THIS MESSAGE In-reply-to: Your message of "Wed, 05 Feb 1997 14:06:13 CST." <199702052006.OAA11778@Jupiter.Mcs.Net> Date: Wed, 05 Feb 1997 16:09:08 -0500 From: Dan Cross Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > I will EXPECT that these will show up in the CVS tree within 48 hours > unless there are VERY good reasons expressed for them not being included. > I WILL be looking for them to appear. Well, for -current, they are somewhat unnecessary. I made a complete fool out of myself last night on freebsd-bugs, thus implicitly demons- trating this. :-) Remember, folks, not *all* calls to strcpy() are bad; sometimes range checking can be accomplished in non-intuitive ways. I expect that just back-porting the code from -current into 2.1 and 2.2 will be enough to solve the problem. However, if I am incorrect and you have an exploit that runs against -current, please let me know, as I would like to see where the error lies. However, I poured over the -current code last night, and while I agree that it needs a bath, I'm pretty certain that it's secure. Thanks! - Dan C. (...whose actually gotten some sleep now, and isn't so quick to make stupid mistakes in his trains of thought... :-)