Date: Mon, 2 Nov 1998 13:26:18 +1100 From: Peter Jeremy <peter.jeremy@auss2.alcatel.com.au> To: freebsd-security@FreeBSD.ORG, winter@jurai.net Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) Message-ID: <98Nov2.132551est.40330@border.alcanet.com.au>
next in thread | raw e-mail | index | archive | help
"Matthew N. Dodd" <winter@jurai.net> wrote: > At this point there isn't any reason not to go about fixing these >potential problems though. ssh also contains a large number of sprintf() calls. Not all of these are immediately innocuous. There are also 2 sscanf() calls with %s formats which could be dangerous. Not to mention the str[n]cat() and str[n]cpy() calls. Unfortunately I have another bushfire to worry about right now, or I'd check through them as well. The problem with C is that there are too many ways to shoot yourself in the foot... A full security audit on ssh (which it sounds like it might need) would be fairly time-consuming. Peter -- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 9690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 9690 5247 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?98Nov2.132551est.40330>