From owner-freebsd-security Thu Oct 19 21:43:42 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id VAA15348 for security-outgoing; Thu, 19 Oct 1995 21:43:42 -0700 Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id VAA15342 for ; Thu, 19 Oct 1995 21:43:35 -0700 Received: (from bde@localhost) by godzilla.zeta.org.au (8.6.9/8.6.9) id OAA15709; Fri, 20 Oct 1995 14:41:00 +1000 Date: Fri, 20 Oct 1995 14:41:00 +1000 From: Bruce Evans Message-Id: <199510200441.OAA15709@godzilla.zeta.org.au> To: davidg@Root.COM, nate@elite.net Subject: Re: statustatus of syslog patch? Cc: security@freebsd.org Sender: owner-security@freebsd.org Precedence: bulk >>What is the status of the patch for the buffer overflow in syslog()? >>I checked FreeBSD-current as of 10/19 and the sccs id still says: >>"@(#)syslog.c 8.4 (Berkeley) 3/18/94" > It'll say that until the end of time...that's Berkeley's ID. Our ID's are >in the form of "$Id: $"...we use cvs/RCS (not SCCS). Not all of >our source files have $Id$'s in them; we haven't gotten around to adding them >yet. syslog.c is one of the ones that doesn't have $Id$. I dislike adding $Id$ to files that we haven't otherwise changed, and otherwise changes like the whitespace changes that touched hundreds of files. Such changes make it hard to see what has really changed. >>Does anyone plan to integrate it into the source tree? If not, can someone >>please send me a copy of syslog.c that safely and intelligently uses >>snprintf to limit buffer overflows? > It has already been integrated. It actually uses fwopen(), not the primitive snprintf(). Bruce