From owner-freebsd-security Fri Sep 8 3:21: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id E01E637B422; Fri, 8 Sep 2000 03:20:57 -0700 (PDT) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 13XLH8-00024s-00; Fri, 08 Sep 2000 12:20:50 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id MAA28789; Fri, 8 Sep 2000 12:20:50 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 28757; Fri Sep 8 12:20:26 2000 Received: from sheldonh (helo=axl.fw.uunet.co.za) by axl.fw.uunet.co.za with local-esmtp (Exim 3.16 #1) id 13XLGj-0003xq-00; Fri, 08 Sep 2000 12:20:25 +0200 From: Sheldon Hearn To: "Vladimir Mencl, MK, susSED" Cc: David Pick , freebsd-security@freebsd.org, security-officer@freebsd.org Subject: Re: UNIX locale format string vulnerability (fwd) In-reply-to: Your message of "Fri, 08 Sep 2000 12:07:18 +0200." Date: Fri, 08 Sep 2000 12:20:25 +0200 Message-ID: <15241.968408425@axl.fw.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 08 Sep 2000 12:07:18 +0200, "Vladimir Mencl, MK, susSED" wrote: > > It would be *much* safer to adopt a "deny all and only allow a > > list of variables that are known to be safe and wanted" approach > > rather than a "block the ones we know are unsafe and miss blocking > > a few we don't know about". > > Yes, that is the correct approach. So which one of you gentlemen is going to take this up with the sudo developer, Todd Miller ? Or are you both just talking for the sake of being heard? :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message