Date: Wed, 23 Jan 2002 09:43:49 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Buliwyf McGraw <buliwyf@libertad.univalle.edu.co> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: gets() is unsafe (fwd) Message-ID: <20020123094349.A38509@xor.obsecurity.org> In-Reply-To: <Pine.BSF.4.43.0201231126240.62074-100000@libertad.univalle.edu.co>; from buliwyf@libertad.univalle.edu.co on Wed, Jan 23, 2002 at 11:26:36AM -0500 References: <Pine.BSF.4.43.0201231126240.62074-100000@libertad.univalle.edu.co>
next in thread | previous in thread | raw e-mail | index | archive | help
--k+w/mQv8wyuph6w0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Wed, Jan 23, 2002 at 11:26:36AM -0500, Buliwyf McGraw wrote:
> Ok, i did this proof... xmms 1.25 has a security problem (i read
> something about it but i dont know exactly the problem description),
> the point is, that is the version of xmms in the ports for FreeBSD 4.4.
> I was looking in the xmms web site (www.xmms.org) and i found a new
> version of the program (1.26) that fix the problems of the 1.25 ... i
> download the new source code and try to compile it... but the compiler
> tould me: "unsafe code" and i got a lot of error/warning messages about
> it. In the end, i couldn't install it.
> Lets try the ports i said:
> % cd /usr/ports/audio/xmms
> % make
> % make install
You seem to be very confused about something. I've already told you
(twice now!) that when the linker spits out a whole host of warning
messages like this:
/usr/lib/libc.so.4: WARNING! setkey(3) not present in the system!
/usr/lib/libc.so.4: warning: this program uses gets(), which is unsafe.
/usr/lib/libc.so.4: warning: mktemp() possibly used unsafely; consider using mks
/usr/lib/libc.so.4: WARNING! des_setkey(3) not present in the system!
/usr/lib/libc.so.4: WARNING! encrypt(3) not present in the system!
/usr/lib/libc.so.4: warning: tmpnam() possibly used unsafely; consider using mks
/usr/lib/libc.so.4: warning: this program uses f_prealloc(), which is stupid.
/usr/lib/libc.so.4: WARNING! des_cipher(3) not present in the system!
/usr/lib/libc.so.4: warning: tempnam() possibly used unsafely; consider using mk
[....]
it is not because the program is actually using all those functions,
but because of a BUG in the linker. To repeat:
*** This does not indicate insecurity in the application, but a
*** BUG IN THE LINKER. ***
Those warnings are indeed emitted if you use one or more of the
insecure functions (although some of the warnings in the above list
aren't security-related, just informational); the signature that
you're triggering the bug is that you get EVERY SINGLE WARNING
CONTAINED IN LIBC emitted, like what I pasted above.
Sorry to spell it out so blatantly, but the message hasn't gotten
through the last two mails I've sent on this subject.
There is no magical way for the compiler to tell that there is an
unspecified security problem in a piece of code like xmms (most
security problems are not because of using a function which libc can
sensibly warn about, they're from misusing C functions which are used
in almost every application). If there was, all our troubles would be
over. All it can easily do is warn about certain functions which are
difficult or impossible to use safely; and it does this no matter
whether you use the FreeBSD port or compile by hand.
Furthermore, if you look at a number of ports, like pine or gdm or
delegate, we have explicit warnings in front of the port build about
security which you won't get if you compile by hand. Some software
packages are created by the vendor with defaults which are unsafe on
FreeBSD; we fix those in the FreeBSD port. When you install a port
which installs potentially dangerous files, like setugid binaries or a
network server which is started automatically at boot time, the port
will warn you after it's installed. Again, you won't get this if you
install by hand.
Even furthermore, we usually patch every security vulnerability in the
FreeBSD port which we discover or which are reported to us within a
day or so -- often within hours. This is a much higher level of
service than you'd get if you didn't use the ports.
> The ports are a good/easy way to install applications on the box, but
> it doesn't offer security garanties.
To summarize, it provides a heck of a lot more than you'd get
otherwise.
I hope this has finally clarified the issue for you.
Kris
--k+w/mQv8wyuph6w0
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE8TvZUWry0BWjoQKURAnIjAJwNMJ3eNFJIVDgCtnYRC8gYCPWEogCgtcyZ
ML2RQgpLNWOPquFobIY4h7c=
=JUsB
-----END PGP SIGNATURE-----
--k+w/mQv8wyuph6w0--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020123094349.A38509>