From owner-freebsd-security  Sun Nov  1 21:13:37 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id VAA06585
          for freebsd-security-outgoing; Sun, 1 Nov 1998 21:13:37 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from sasami.jurai.net (sasami.jurai.net [207.153.65.3])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA06579
          for <freebsd-security@FreeBSD.ORG>; Sun, 1 Nov 1998 21:13:34 -0800 (PST)
          (envelope-from winter@jurai.net)
Received: from localhost (winter@localhost)
	by sasami.jurai.net (8.8.8/8.8.7) with SMTP id AAA20231;
	Mon, 2 Nov 1998 00:13:24 -0500 (EST)
Date: Mon, 2 Nov 1998 00:13:23 -0500 (EST)
From: "Matthew N. Dodd" <winter@jurai.net>
To: Peter Jeremy <peter.jeremy@auss2.alcatel.com.au>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass)
In-Reply-To: <98Nov2.132551est.40330@border.alcanet.com.au>
Message-ID: <Pine.BSF.4.02.9811012348160.17054-100000@sasami.jurai.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, 2 Nov 1998, Peter Jeremy wrote:
> ssh also contains a large number of sprintf() calls.  Not all of these
> are immediately innocuous.  There are also 2 sscanf() calls with %s
> formats which could be dangerous.  Not to mention the str[n]cat() and
> str[n]cpy() calls.  Unfortunately I have another bushfire to worry
> about right now, or I'd check through them as well.

ftp.jurai.net:/users/winter/

	ssh1226.sprintf.patch
	ssh1226.vsprintf.patch

> The problem with C is that there are too many ways to shoot yourself
> in the foot...  A full security audit on ssh (which it sounds like it
> might need) would be fairly time-consuming.

Indeed.  My approach was (is) to address the easy things that could be
broken.  I'll probably work on sscanf issues next unless someone beats me
to it.  Going through the code and fixing improper logic I'll leave to
someone with more of a burr up their ass. :)

-- 
| Matthew N. Dodd  | 78 280Z | 75 164E | 84 245DL | FreeBSD/NetBSD/Sprite/VMS |
| winter@jurai.net |      This Space For Rent     | ix86,sparc,m68k,pmax,vax  |
| http://www.jurai.net/~winter | Are you k-rad elite enough for my webpage?   |


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message