Date: Sat, 30 Sep 2000 15:29:28 -0600 From: Warner Losh <imp@village.org> To: Adam Laurie <adam@algroup.co.uk> Cc: security@FreeBSD.ORG Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd) Message-ID: <200009302129.PAA13646@harmony.village.org> In-Reply-To: Your message of "Sat, 30 Sep 2000 09:15:56 BST." <39D5A13C.8AF289BE@algroup.co.uk> References: <39D5A13C.8AF289BE@algroup.co.uk> <200009292349.TAA07263@giganda.komkon.org> <008b01c02a71$6b8938c0$d04379a5@p4f0i0> <20000929172644.C6456@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <39D5A13C.8AF289BE@algroup.co.uk> Adam Laurie writes: : I find it very odd that ports get so much positive pressure from this : list to restrict/fix/exclude them when there is a security issue, but : try and get something done to core FreeBSD scripts/services etc., and : you'll get shot down in flames... Bizarre... That's because for the most part all programs running at elevated privs in the base OS have been evaluated for security issues already. They have been looked at in detail. Their sprintfs have been changed to snpritnf, etc. Such is not the case with pine. It runs with privs, but the code that I've looked at appears to be rife with potential overflows. Maybe these aren't exploitable, maybe they are. What Kris' action says is that you are taking a big risk by running this port. That's what his job as ports security officer/coordinator is supposed to be. He's not only supposed to REACT to problems, but he's supposed to proactively find problems and fix or warn about them. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009302129.PAA13646>