Date: Fri, 8 Sep 2000 03:27:55 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: Sheldon Hearn <sheldonh@uunet.co.za> Cc: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz>, David Pick <D.M.Pick@qmw.ac.uk>, freebsd-security@freebsd.org, security-officer@freebsd.org Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <Pine.BSF.4.21.0009080326020.39439-100000@freefall.freebsd.org> In-Reply-To: <15241.968408425@axl.fw.uunet.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 8 Sep 2000, Sheldon Hearn wrote:
> > > It would be *much* safer to adopt a "deny all and only allow a
> > > list of variables that are known to be safe and wanted" approach
> > > rather than a "block the ones we know are unsafe and miss blocking
> > > a few we don't know about".
> >
> > Yes, that is the correct approach.
>
> So which one of you gentlemen is going to take this up with the sudo
> developer, Todd Miller <Todd.Miller@cs.colorado.edu>?
>
> Or are you both just talking for the sake of being heard? :-)
Erm, he already participated in other parts of the thread, and agreed when
I made this suggestion earlier today.
*thwack* :-)
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009080326020.39439-100000>