Date: Wed, 23 Jan 2002 09:43:49 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Buliwyf McGraw <buliwyf@libertad.univalle.edu.co> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: gets() is unsafe (fwd) Message-ID: <20020123094349.A38509@xor.obsecurity.org> In-Reply-To: <Pine.BSF.4.43.0201231126240.62074-100000@libertad.univalle.edu.co>; from buliwyf@libertad.univalle.edu.co on Wed, Jan 23, 2002 at 11:26:36AM -0500 References: <Pine.BSF.4.43.0201231126240.62074-100000@libertad.univalle.edu.co>
next in thread | previous in thread | raw e-mail | index | archive | help
--k+w/mQv8wyuph6w0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Jan 23, 2002 at 11:26:36AM -0500, Buliwyf McGraw wrote: > Ok, i did this proof... xmms 1.25 has a security problem (i read > something about it but i dont know exactly the problem description), > the point is, that is the version of xmms in the ports for FreeBSD 4.4. > I was looking in the xmms web site (www.xmms.org) and i found a new > version of the program (1.26) that fix the problems of the 1.25 ... i > download the new source code and try to compile it... but the compiler > tould me: "unsafe code" and i got a lot of error/warning messages about > it. In the end, i couldn't install it. > Lets try the ports i said: > % cd /usr/ports/audio/xmms > % make > % make install You seem to be very confused about something. I've already told you (twice now!) that when the linker spits out a whole host of warning messages like this: /usr/lib/libc.so.4: WARNING! setkey(3) not present in the system! /usr/lib/libc.so.4: warning: this program uses gets(), which is unsafe. /usr/lib/libc.so.4: warning: mktemp() possibly used unsafely; consider using mks /usr/lib/libc.so.4: WARNING! des_setkey(3) not present in the system! /usr/lib/libc.so.4: WARNING! encrypt(3) not present in the system! /usr/lib/libc.so.4: warning: tmpnam() possibly used unsafely; consider using mks /usr/lib/libc.so.4: warning: this program uses f_prealloc(), which is stupid. /usr/lib/libc.so.4: WARNING! des_cipher(3) not present in the system! /usr/lib/libc.so.4: warning: tempnam() possibly used unsafely; consider using mk [....] it is not because the program is actually using all those functions, but because of a BUG in the linker. To repeat: *** This does not indicate insecurity in the application, but a *** BUG IN THE LINKER. *** Those warnings are indeed emitted if you use one or more of the insecure functions (although some of the warnings in the above list aren't security-related, just informational); the signature that you're triggering the bug is that you get EVERY SINGLE WARNING CONTAINED IN LIBC emitted, like what I pasted above. Sorry to spell it out so blatantly, but the message hasn't gotten through the last two mails I've sent on this subject. There is no magical way for the compiler to tell that there is an unspecified security problem in a piece of code like xmms (most security problems are not because of using a function which libc can sensibly warn about, they're from misusing C functions which are used in almost every application). If there was, all our troubles would be over. All it can easily do is warn about certain functions which are difficult or impossible to use safely; and it does this no matter whether you use the FreeBSD port or compile by hand. Furthermore, if you look at a number of ports, like pine or gdm or delegate, we have explicit warnings in front of the port build about security which you won't get if you compile by hand. Some software packages are created by the vendor with defaults which are unsafe on FreeBSD; we fix those in the FreeBSD port. When you install a port which installs potentially dangerous files, like setugid binaries or a network server which is started automatically at boot time, the port will warn you after it's installed. Again, you won't get this if you install by hand. Even furthermore, we usually patch every security vulnerability in the FreeBSD port which we discover or which are reported to us within a day or so -- often within hours. This is a much higher level of service than you'd get if you didn't use the ports. > The ports are a good/easy way to install applications on the box, but > it doesn't offer security garanties. To summarize, it provides a heck of a lot more than you'd get otherwise. I hope this has finally clarified the issue for you. Kris --k+w/mQv8wyuph6w0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8TvZUWry0BWjoQKURAnIjAJwNMJ3eNFJIVDgCtnYRC8gYCPWEogCgtcyZ ML2RQgpLNWOPquFobIY4h7c= =JUsB -----END PGP SIGNATURE----- --k+w/mQv8wyuph6w0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020123094349.A38509>