From owner-freebsd-security Fri Sep 29 15:55:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 37BB437B503; Fri, 29 Sep 2000 15:55:40 -0700 (PDT) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 13fAy1-0005gX-00; Sat, 30 Sep 2000 02:57:29 +0200 Date: Sat, 30 Sep 2000 02:57:29 +0200 (IST) From: Roman Shterenzon To: Kris Kennaway Cc: security@freebsd.org Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd) In-Reply-To: <20000929155115.A6456@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 29 Sep 2000, Kris Kennaway wrote: > On Sat, Sep 30, 2000 at 02:41:30AM +0200, Roman Shterenzon wrote: > > > Perhaps I'll move to mutt, the same command gives only 92 occurrences :) > > Mutt on the other hand has sgid binary installed.. > > I haven't looked at mutt yet - of course, just grepping for functions > is a poor indicator of the security of a program, but in the case of > pine it is so blatant (and the authors have a bad enough track record) > as to leave little doubt there are others which are remotely > exploitable aside from the currently known exploitable ones. I was just kidding about the number, strcpy(buf, DEFAULTSTR) is quite secure on most occasions. Mutt supposedly has better PGP integration and pine scares me now. (Although I'm writing this in pine) --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message