Date: Fri, 28 Jan 2000 01:37:51 -0800 From: Alfred Perlstein <bright@wintelcom.net> To: Kris Kennaway <kris@hub.freebsd.org> Cc: Masafumi NAKANE <max@wide.ad.jp>, serg@dor.zaural.ru, freebsd-security@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG Subject: Re: delegate buffer overflow (ports) Message-ID: <20000128013751.A7157@fw.wintelcom.net> In-Reply-To: <Pine.BSF.4.21.0001280053120.27989-100000@hub.freebsd.org>; from kris@hub.freebsd.org on Fri, Jan 28, 2000 at 12:55:54AM -0800 References: <877lgufvc3.wl@fr.aslm.rim.or.jp> <Pine.BSF.4.21.0001280053120.27989-100000@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
* Kris Kennaway <kris@hub.freebsd.org> [000128 01:26] wrote: > On Fri, 28 Jan 2000, Masafumi NAKANE wrote: > > > Instead, I will make this port to ask the user if he/she really wants > > to continue the installation with the security information at > > ``pkg_add'', ``make pre-fetch'' and ``make install'' times. This > > Hmm. If this is along the lines of: > > ************************************** > ** WARNING!!! WARNING!!! WARNING!!! ** > ************************************** > > THIS PORT CONTAINS KNOWN SECURITY HOLES WHICH ALLOW A REMOTE ATTACKER TO > EASILY TAKE CONTROL OF YOUR MACHINE. YOU INSTALL THIS PORT AT YOUR OWN > RISK!! DON'T COME CRYING TO US IF YOU GET ROOTED BECAUSE OF INSTALLING > THIS PORT. > > Do you want hackers to be able to take remote control of your > machine? (y/N): > > then I guess I have no problem with it :-) > > Kris Actually something _like_ this would do a couple of good things: a) make it known to the authors that we know thier program is a security hazard b) provide a common error message instead of multiple variations of FORBIDDEN making it harder to identify such ports, marking it insecure via INSECURE would be interesting allowing a comment possibly containing a pointer to the advisory or email thread that got it marked so. example: INSECURE= http://docs.freebsd.org/cgi/getmsg.cgi?fetch=407538+0+current/freebsd-bugs What do you think of this? -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000128013751.A7157>