From owner-freebsd-security Fri Sep 8 3:27:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 929FD37B422; Fri, 8 Sep 2000 03:27:55 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id DAA40306; Fri, 8 Sep 2000 03:27:55 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Fri, 8 Sep 2000 03:27:55 -0700 (PDT) From: Kris Kennaway To: Sheldon Hearn Cc: "Vladimir Mencl, MK, susSED" , David Pick , freebsd-security@freebsd.org, security-officer@freebsd.org Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <15241.968408425@axl.fw.uunet.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 8 Sep 2000, Sheldon Hearn wrote: > > > It would be *much* safer to adopt a "deny all and only allow a > > > list of variables that are known to be safe and wanted" approach > > > rather than a "block the ones we know are unsafe and miss blocking > > > a few we don't know about". > > > > Yes, that is the correct approach. > > So which one of you gentlemen is going to take this up with the sudo > developer, Todd Miller ? > > Or are you both just talking for the sake of being heard? :-) Erm, he already participated in other parts of the thread, and agreed when I made this suggestion earlier today. *thwack* :-) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message