Date: Sun, 1 Nov 1998 19:27:24 -0800 From: "Jan B. Koum " <jkb@best.com> To: Peter Jeremy <peter.jeremy@auss2.alcatel.com.au> Cc: freebsd-security@FreeBSD.ORG, winter@jurai.net Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) Message-ID: <19981101192724.A26335@best.com> In-Reply-To: <98Nov2.132551est.40330@border.alcanet.com.au>; from Peter Jeremy on Mon, Nov 02, 1998 at 01:26:18PM %2B1100 References: <98Nov2.132551est.40330@border.alcanet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 02, 1998 at 01:26:18PM +1100, Peter Jeremy <peter.jeremy@auss2.alcatel.com.au> wrote: > "Matthew N. Dodd" <winter@jurai.net> wrote: > > At this point there isn't any reason not to go about fixing these > >potential problems though. > > ssh also contains a large number of sprintf() calls. Not all of these > are immediately innocuous. There are also 2 sscanf() calls with %s > formats which could be dangerous. Not to mention the str[n]cat() and > str[n]cpy() calls. Unfortunately I have another bushfire to worry > about right now, or I'd check through them as well. > > The problem with C is that there are too many ways to shoot yourself > in the foot... A full security audit on ssh (which it sounds like it > might need) would be fairly time-consuming. > > Peter > -- > Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au > Alcatel Australia Limited > 41 Mandible St Phone: +61 2 9690 5019 > ALEXANDRIA NSW 2015 Fax: +61 2 9690 5247 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Which is why when you install ssh, you can run ./configure with "--disable-suid-ssh" argument. -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981101192724.A26335>