From owner-freebsd-hackers  Thu Aug 28 23:59:45 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id XAA15778
          for hackers-outgoing; Thu, 28 Aug 1997 23:59:45 -0700 (PDT)
Received: from sax.sax.de (sax.sax.de [193.175.26.33])
          by hub.freebsd.org (8.8.7/8.8.7) with SMTP id XAA15754
          for <freebsd-hackers@FreeBSD.ORG>; Thu, 28 Aug 1997 23:59:40 -0700 (PDT)
Received: (from uucp@localhost) by sax.sax.de (8.6.12/8.6.12-s1) with UUCP id IAA10411 for freebsd-hackers@FreeBSD.ORG; Fri, 29 Aug 1997 08:59:39 +0200
Received: (from j@localhost)
	by uriah.heep.sax.de (8.8.7/8.8.5) id IAA18687;
	Fri, 29 Aug 1997 08:08:15 +0200 (MET DST)
Message-ID: <19970829080815.WY53612@uriah.heep.sax.de>
Date: Fri, 29 Aug 1997 08:08:15 +0200
From: j@uriah.heep.sax.de (J Wunsch)
To: freebsd-hackers@FreeBSD.ORG
Subject: Re: A disturbing discovery
References: <Pine.GSO.3.96.970828223602.3963B-100000@echonyc.com> <199708290315.FAA06905@bitbox.follo.net>
X-Mailer: Mutt 0.60_p2-3,5,8-9
Mime-Version: 1.0
X-Phone: +49-351-2012 669
X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F  93 21 E0 7D F9 12 D6 4E
Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch)
In-Reply-To: <199708290315.FAA06905@bitbox.follo.net>; from Eivind Eklund on Aug 29, 1997 05:15:41 +0200
Sender: owner-freebsd-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

As Eivind Eklund wrote:

> > When I made world the other day, it installed sperl4.036 -- isn't that
> > known to be insecure?
> 
> Warner <imp@freebsd.org> fixed this, AFAIK.  It was unsecure, but
> nothing that is known to be insecure is shipped.

That's not quite right.  There was one more fix, and all FreeBSD
versions that have been shipped went out with a version with a buffer
overflow.  Try an overly long identifier (> 256 chars) to see the
problem.

2.2.5 will have this fix, of course.

-- 
cheers, J"org

joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
Never trust an operating system you don't have sources for. ;-)