From owner-freebsd-security  Fri Sep 29 15:39:46 2000
Delivered-To: freebsd-security@freebsd.org
Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17])
	by hub.freebsd.org (Postfix) with ESMTP
	id C07E237B502; Fri, 29 Sep 2000 15:39:41 -0700 (PDT)
Received: from roman (helo=localhost)
	by jamus.xpert.com with local-esmtp (Exim 3.12 #5)
	id 13fAiY-0005ej-00; Sat, 30 Sep 2000 02:41:30 +0200
Date: Sat, 30 Sep 2000 02:41:30 +0200 (IST)
From: Roman Shterenzon <roman@xpert.com>
To: Kris Kennaway <kris@FreeBSD.org>
Cc: security@freebsd.org
Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd)
In-Reply-To: <Pine.BSF.4.21.0009290030170.63575-100000@freefall.freebsd.org>
Message-ID: <Pine.LNX.4.10.10009291755520.17656-100000@jamus.xpert.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Perhaps I'll move to mutt, the same command gives only 92 occurrences :)
Mutt on the other hand has sgid binary installed..

On Fri, 29 Sep 2000, Kris Kennaway wrote:

> It almost killed me to see this:
> 
> mollari# find pine4.21 -type f | xargs egrep '(sprintf|strcpy|strcat)' | wc -l
>     4299
> 
> Don't use pine - I don't believe it is practical to make it secure. :-(
> 
> Kris
> 
> --
> In God we Trust -- all others must submit an X.509 certificate.
>     -- Charles Forsythe <forsythe@alum.mit.edu>
> 
> ---------- Forwarded message ----------
> Date: Fri, 29 Sep 2000 00:28:48 -0700 (PDT)
> From: Kris Kennaway <kris@FreeBSD.org>
> To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
> Subject: cvs commit: ports/mail/pine4 Makefile
> 
> kris        2000/09/29 00:28:48 PDT
> 
>   Modified files:
>     mail/pine4           Makefile 
>   Log:
>   Mark FORBIDDEN: known buffer overflows exploitable by remote email.
>   
>   Parenthetically, no software which uses 4299 sprintf/strcpy/strcat
>   calls can possibly be safe - I don't expect to remove this FORBIDDEN
>   tag any time soon. :-(
>   
>   Revision  Changes    Path
>   1.43      +3 -1      ports/mail/pine4/Makefile
> 
> 
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 

--Roman Shterenzon, UNIX System Administrator and Consultant
[ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ]



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message