Date: Wed, 5 Feb 1997 15:15:55 -0600 (CST) From: Karl Denninger <karl@mcs.net> To: tenser@spitfire.ecsel.psu.edu (Dan Cross) Cc: karl@mcs.net, security@freebsd.org Subject: Re: PATCH for *ALL* FreeBSD Setlocale() problems - EVERYONE SHOULD READ THIS MESSAGE Message-ID: <199702052115.PAA14224@Jupiter.Mcs.Net> In-Reply-To: <19970205210908.417.qmail@spitfire.ecsel.psu.edu> from "Dan Cross" at Feb 5, 97 04:09:08 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> > > I will EXPECT that these will show up in the CVS tree within 48 hours > > unless there are VERY good reasons expressed for them not being included. > > I WILL be looking for them to appear. > > Well, for -current, they are somewhat unnecessary. I made a complete > fool out of myself last night on freebsd-bugs, thus implicitly demons- > trating this. :-) > > Remember, folks, not *all* calls to strcpy() are bad; sometimes range > checking can be accomplished in non-intuitive ways. I expect that just > back-porting the code from -current into 2.1 and 2.2 will be enough to > solve the problem. > > However, if I am incorrect and you have an exploit that runs against > -current, please let me know, as I would like to see where the error > lies. However, I poured over the -current code last night, and while > I agree that it needs a bath, I'm pretty certain that it's secure. > > Thanks! > > - Dan C. > > (...whose actually gotten some sleep now, and isn't so quick to make > stupid mistakes in his trains of thought... :-) No. Try the exploit against an unpatched system's "at" program. It dumps core, which means that you're vulnerable (the stack got blasted). -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702052115.PAA14224>