From owner-freebsd-ports Wed Jul 25 21:58:28 2001 Delivered-To: freebsd-ports@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-149.dsl.lsan03.pacbell.net [64.169.104.149]) by hub.freebsd.org (Postfix) with ESMTP id B50B837B401 for ; Wed, 25 Jul 2001 21:58:22 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 31BA76722B; Wed, 25 Jul 2001 21:58:21 -0700 (PDT) Date: Wed, 25 Jul 2001 21:58:18 -0700 From: Kris Kennaway To: John Merryweather Cooper Cc: freebsd-ports@FreeBSD.ORG Subject: Re: ports/29112: Potential security issues in Balsa & Encompass Message-ID: <20010725215817.A46076@xor.obsecurity.org> References: <200107241840.f6OIe1Y15114@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="8t9RHnE3ZwKMSgU+" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107241840.f6OIe1Y15114@freefall.freebsd.org>; from jmcoopr@webmail.bmi.net on Tue, Jul 24, 2001 at 11:40:01AM -0700 Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 24, 2001 at 11:40:01AM -0700, John Merryweather Cooper wrote: > The following reply was made to PR ports/29112; it has been noted by GNAT= S. >=20 > From: John Merryweather Cooper > To: freebsd-gnats-submit@FreeBSD.org, quik@quikbox.ca > Cc: =20 > Subject: Re: ports/29112: Potential security issues in Balsa & Encompass > Date: Tue, 24 Jul 2001 11:36:42 -0700 >=20 > Well, the problem is NOT in any of Balsa's source code. I've grepped,= =20 > eye-balled, head-banged, etc. the entire source code and I can conclude: This is almost certainly due to a linker bug which triggers all of the possible warnings in libc{_r} if you link incorrectly against the library. I wish someone would track it down and fix it :-) > 1) setkey(3), des_setkey(3), encrypt(3), and des_cipher(3) reside in=20 > libcipher--correct me if I'm wrong, but this is a US-only library (at > least legally). Since S/MIME is not currently implemented (but there > are plans to do so for Balsa), lacking these functions produces the > warnings--but does not appear to affect function-- > =20 > 2) mktemp() is not used anywhere in Balsa. Balsa "rolls it's own" > mktemp which resides in libmutt. There maybe a performance advantage > to using mkstemp() as a replacement (I will verify this)-- AIEEEE..all code which rolls its own "better" tempfile creation code must die. 95% of the implementations I've seen get it wrong. Kris --8t9RHnE3ZwKMSgU+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7X6NoWry0BWjoQKURAiowAJ49XJgYohyZ6CUSfE2lZPDU6E4qxQCfXn7U s9gabBhasBpqbkvFrUBseD0= =FQUN -----END PGP SIGNATURE----- --8t9RHnE3ZwKMSgU+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message