From owner-freebsd-security  Tue Aug 29 17:00:03 1995
Return-Path: security-owner
Received: (from majordom@localhost)
          by freefall.FreeBSD.org (8.6.11/8.6.6) id RAA29461
          for security-outgoing; Tue, 29 Aug 1995 17:00:03 -0700
Received: from ns1.win.net (ns1.win.net [204.215.209.3])
          by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id QAA29455
          for <security@freebsd.org>; Tue, 29 Aug 1995 16:59:56 -0700
Received: (from bugs@localhost) by ns1.win.net (8.6.11/8.6.9) id UAA28922 for security@freebsd.org; Tue, 29 Aug 1995 20:05:12 -0400
From: Mark Hittinger <bugs@ns1.win.net>
Message-Id: <199508300005.UAA28922@ns1.win.net>
Subject: Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 (fwd)
To: security@freebsd.org
Date: Tue, 29 Aug 1995 20:05:12 -0400 (EDT)
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Content-Length: 725       
Sender: security-owner@freebsd.org
Precedence: bulk

> > >shades of rtm
> > Anyone for execute-protected data by default if the machine can support
> > it?  Programs that want to execute data should have to request it and
> > everything else would be more secure.
> 	the segment descriptors support the text (code) vs data 
> identification.  this would be a big win regarding security (and writing 
> to wild pointers that hit your own code segment ;)

YES!

> 	we should still examine all the system libraries for similar 
> problems (buffer overrun).  this was the exact same problem that rtm used 
> to compromise fingerd, it used gets(), syslog() used sprintf().
> 

The RPC stuff seems to use this also.  "strcpy" is also a bad boy.

Regards,

Mark Hittinger
bugs@win.net