Date: Fri, 29 Sep 2000 21:57:41 -0500 (CDT) From: James Wyatt <jwyatt@rwsystems.net> To: Roman Shterenzon <roman@xpert.com> Cc: Kris Kennaway <kris@FreeBSD.org>, security@freebsd.org Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd) Message-ID: <Pine.BSF.4.10.10009292106510.43354-100000@bsdie.rwsystems.net> In-Reply-To: <Pine.LNX.4.10.10009291755520.17656-100000@jamus.xpert.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Lies, Damn Lies, and Statistics... I haven't looked, but I'll bet that most of the 4299 hits you got for pine were in code that concerns fairly useless-to-attack areas of code like the CUI (screens, menus, text areas, etc), config file IO, etc... Since the program isn't suid or guid, a stack overflow in the menu code might let you become *gasp!* yourself - whee! I have to admit that with *that* many incidences of a cancer like that, some of it is likely to be attached to a vital organ or two like mailspool header parsing or such. Aftre all user input isn't the problem, external input is, isn't it? - Jy@ On Sat, 30 Sep 2000, Roman Shterenzon wrote: > Perhaps I'll move to mutt, the same command gives only 92 occurrences :) > Mutt on the other hand has sgid binary installed.. > > On Fri, 29 Sep 2000, Kris Kennaway wrote: > > It almost killed me to see this: > > > > mollari# find pine4.21 -type f | xargs egrep '(sprintf|strcpy|strcat)' | wc -l > > 4299 > > > > Don't use pine - I don't believe it is practical to make it secure. :-( [ ... ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10009292106510.43354-100000>