Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 28 Jan 2000 01:37:51 -0800
From:      Alfred Perlstein <bright@wintelcom.net>
To:        Kris Kennaway <kris@hub.freebsd.org>
Cc:        Masafumi NAKANE <max@wide.ad.jp>, serg@dor.zaural.ru, freebsd-security@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG
Subject:   Re: delegate buffer overflow (ports)
Message-ID:  <20000128013751.A7157@fw.wintelcom.net>
In-Reply-To: <Pine.BSF.4.21.0001280053120.27989-100000@hub.freebsd.org>; from kris@hub.freebsd.org on Fri, Jan 28, 2000 at 12:55:54AM -0800
References:  <877lgufvc3.wl@fr.aslm.rim.or.jp> <Pine.BSF.4.21.0001280053120.27989-100000@hub.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
* Kris Kennaway <kris@hub.freebsd.org> [000128 01:26] wrote:
> On Fri, 28 Jan 2000, Masafumi NAKANE wrote:
> 
> > Instead, I will make this port to ask the user if he/she really wants
> > to continue the installation with the security information at
> > ``pkg_add'', ``make pre-fetch'' and ``make install'' times.  This
> 
> Hmm. If this is along the lines of:
> 
> **************************************
> ** WARNING!!! WARNING!!! WARNING!!! **
> **************************************
> 
> THIS PORT CONTAINS KNOWN SECURITY HOLES WHICH ALLOW A REMOTE ATTACKER TO
> EASILY TAKE CONTROL OF YOUR MACHINE. YOU INSTALL THIS PORT AT YOUR OWN
> RISK!! DON'T COME CRYING TO US IF YOU GET ROOTED BECAUSE OF INSTALLING
> THIS PORT.
> 
> Do you want hackers to be able to take remote control of your
> machine? (y/N):
> 
> then I guess I have no problem with it :-)
> 
> Kris

Actually something _like_ this would do a couple of good things:

a) make it known to the authors that we know thier program is
   a security hazard
b) provide a common error message instead of multiple variations of 
   FORBIDDEN making it harder to identify such ports, marking it
   insecure via INSECURE would be interesting allowing a comment
   possibly containing a pointer to the advisory or email thread
   that got it marked so.

example:
INSECURE= http://docs.freebsd.org/cgi/getmsg.cgi?fetch=407538+0+current/freebsd-bugs

What do you think of this?

-Alfred


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000128013751.A7157>