From owner-freebsd-security Fri Sep 29 20: 4:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 024DA37B66C; Fri, 29 Sep 2000 20:04:17 -0700 (PDT) Received: from bsdie.rwsystems.net([209.197.223.2]) (1710 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Fri, 29 Sep 2000 21:57:41 -0500 (CDT) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Fri, 29 Sep 2000 21:57:41 -0500 (CDT) From: James Wyatt To: Roman Shterenzon Cc: Kris Kennaway , security@freebsd.org Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lies, Damn Lies, and Statistics... I haven't looked, but I'll bet that most of the 4299 hits you got for pine were in code that concerns fairly useless-to-attack areas of code like the CUI (screens, menus, text areas, etc), config file IO, etc... Since the program isn't suid or guid, a stack overflow in the menu code might let you become *gasp!* yourself - whee! I have to admit that with *that* many incidences of a cancer like that, some of it is likely to be attached to a vital organ or two like mailspool header parsing or such. Aftre all user input isn't the problem, external input is, isn't it? - Jy@ On Sat, 30 Sep 2000, Roman Shterenzon wrote: > Perhaps I'll move to mutt, the same command gives only 92 occurrences :) > Mutt on the other hand has sgid binary installed.. > > On Fri, 29 Sep 2000, Kris Kennaway wrote: > > It almost killed me to see this: > > > > mollari# find pine4.21 -type f | xargs egrep '(sprintf|strcpy|strcat)' | wc -l > > 4299 > > > > Don't use pine - I don't believe it is practical to make it secure. :-( [ ... ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message