Date: Sat, 30 Sep 2000 00:24:00 -0400 From: "Brian F. Feldman" <green@FreeBSD.org> To: Roman Shterenzon <roman@xpert.com> Cc: Kris Kennaway <kris@FreeBSD.org>, security@FreeBSD.org Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd) Message-ID: <200009300424.e8U4O1533513@green.dyndns.org> In-Reply-To: Message from Roman Shterenzon <roman@xpert.com> of "Sat, 30 Sep 2000 02:41:30 %2B0200." <Pine.LNX.4.10.10009291755520.17656-100000@jamus.xpert.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Perhaps I'll move to mutt, the same command gives only 92 occurrences :) > Mutt on the other hand has sgid binary installed.. > > On Fri, 29 Sep 2000, Kris Kennaway wrote: > > > It almost killed me to see this: > > > > mollari# find pine4.21 -type f | xargs egrep '(sprintf|strcpy|strcat)' | wc -l > > 4299 > > > > Don't use pine - I don't believe it is practical to make it secure. :-( > > > > Kris Now we should do something else: Pine is pretty popular. It shouldn't be, so we should create a page showing other mailers that are known to be much more secure and their virtues. In a sense, propaganda :) but I feel it's very important to move people away from such insecure software, and they simply won't unless they see alternatives. So, how about it? Should we set up a page so we have a URL to put in the Pine insecurity notice that shows, "you can live without Pine"? I'd propose the first two most popular mailers (it seems) after Pine: mutt and exmh. For instance, I use exmh, so I am interested in nmh being secure. I checked the source, and I found only <100 uses of sprintf/strcat/strcpy. Only a few of them I decided could pose a threat (others MAYBE being exploitable from the configuration files, but that's no big deal at all ;), and even then, the user would have to create a really weird mail format file to do it. So, given those two as believed very secure (or three, counting nmh and exmh as an add-on which it really is) as a start, should we point people to the alternatives which are much safer? I volunteer to do most of the work on it... -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009300424.e8U4O1533513>