From owner-freebsd-bugs  Mon Feb 21 22:47: 8 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from bourbon.sfc.wide.ad.jp (bourbon.sfc.wide.ad.jp [203.178.141.171])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3CFAD37B612; Mon, 21 Feb 2000 22:47:02 -0800 (PST)
	(envelope-from max@wide.ad.jp)
Received: from bourbon.sfc.wide.ad.jp (bourbon [203.178.141.171])
	by bourbon.access.sfc.wide.ad.jp (8.9.3+3.2W/3.7W-12/11/99/smtpfeed 1.01) with ESMTP id PAA50680;
	Tue, 22 Feb 2000 15:46:49 +0900 (JST)
	(envelope-from max@wide.ad.jp)
Date: Tue, 22 Feb 2000 15:46:49 +0900
Message-ID: <s99hff14tuv.wl@bourbon.sfc.wide.ad.jp>
From: Masafumi NAKANE <max@wide.ad.jp>
To: imp@village.org
Cc: 3APA3A@SECURITY.NNOV.RU, kris@hub.freebsd.org,
	serg@dor.zaural.ru, freebsd-security@FreeBSD.ORG,
	freebsd-bugs@FreeBSD.ORG
Subject: Re: Re[2]: delegate buffer overflow (ports) 
In-Reply-To: In your message of "Fri, 28 Jan 2000 18:24:55 -0700"
	<200001290124.SAA65757@harmony.village.org>
References: <18578.000128@sandy.ru>
	<200001280936.CAA60674@harmony.village.org>
	<200001290124.SAA65757@harmony.village.org>
User-Agent: Wanderlust/2.2.17 (One Of Us) SEMI/1.13.7 (Awazu) FLIM/1.13.2 (Kasanui) Emacs/20.5 (i386--freebsd) MULE/4.0 (HANANOEN)
MIME-Version: 1.0 (generated by SEMI 1.13.7 - "Awazu")
Content-Type: text/plain; charset=US-ASCII
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi,

I finally got some time to sit down and look at the issue closely.  I
agree the source of the DeleGate isn't really secure.

Here's my proposal.

1. Define NO_PACKAGE so that the CD-ROM and the FTP won:t include the
   package.  And this will require the users to do ``make install'' if
   they want to use DeleGate on their machines.

2. When a user simply types ``make'' or ``make install'' or whatever,
   show something like:

**********************************************************************
*    WARNING!         WARNING!         WARNING!         WARNING!     *	
* This program has known security problems.                          *
* It is strongly recommended that you do not use this program.       *
*                                                                    *
* If you would like to use this program despite the danger,          *
* run make with ``FORCE_BUILD=YES''.                                 *
**********************************************************************

3. If a user runs make with ``FORCE_BUID=YES'', build/install the
   program with some security warining at the pre-build time as well
   as post-install time.

What do people think?

     Cheers,
Max


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message