From owner-freebsd-security  Sat Nov  4 12:12:38 2000
Delivered-To: freebsd-security@freebsd.org
Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139])
	by hub.freebsd.org (Postfix) with ESMTP id D268337B479
	for <freebsd-security@freebsd.org>; Sat,  4 Nov 2000 12:12:36 -0800 (PST)
Received: (qmail 38241 invoked by uid 1000); 4 Nov 2000 20:12:36 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 4 Nov 2000 20:12:36 -0000
Date: Sat, 4 Nov 2000 14:12:35 -0600 (CST)
From: Mike Silbersack <silby@silby.com>
To: freebsd-security@freebsd.org
Subject: pine 4.30 improvements
Message-ID: <Pine.BSF.4.21.0011041356140.38184-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Although the port hasn't been updated yet, I thought some people might be
interested in what changed from pine 4.21 to 4.30 (security-wise.)

In short, they've tried to make it more secure, but aren't quite there
yet.

Many more cases of bounds checking of strings have appeared, although it's
not yet perfect.  At current, they're limiting themselves by not using
snprintf/strlcpy/strlcat, so auditing whether the code is safe is still a
very difficult job.

However, if they keep moving in this direction, it seems likely that pine
will be able to be considered safe within a release or two.

Mike "Silby" Silbersack




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message