From owner-freebsd-audit Tue Apr 25 23:24:49 2000 Delivered-To: freebsd-audit@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 68DC337B860 for ; Tue, 25 Apr 2000 23:24:48 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id XAA14847 for ; Tue, 25 Apr 2000 23:24:48 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Tue, 25 Apr 2000 23:24:47 -0700 (PDT) From: Kris Kennaway To: audit@freebsd.org Subject: libmytinfo Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Okay guys, here's our first real challenge :-) As you probably know, libmytinfo on 3.X had an overflow reported on bugtraq..I've committed a fix for this one, but the rest of that code scares me a lot - there are undoubtedly other problems remaining. We need to do a thorough audit of libncurses, libmytinfo, libtermcap, and libcurses in 3.X, as well as 4.0. 3.X and 4.X have different versions of ncurses (the 3.X version is positively ancient), hopefully the newer one is safer. This particular overflow was an unguarded while() loop which copies a string, but the library also makes use of unsafe string functions which accept input from getenv() :-( Hopefully we'll find the remaining bugs before anyone else does :-) Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Apr 27 13: 7:32 2000 Delivered-To: freebsd-audit@freebsd.org Received: from MailAndNews.com (MailAndNews.com [199.29.68.160]) by hub.freebsd.org (Postfix) with ESMTP id 3332137B5CA for ; Thu, 27 Apr 2000 13:07:30 -0700 (PDT) (envelope-from mheffner@mailandnews.com) Received: from muriel.penguinpowered.com [208.138.199.76] (mheffner@mailandnews.com); Thu, 27 Apr 2000 16:07:25 -0400 X-WM-Posted-At: MailAndNews.com; Thu, 27 Apr 00 16:07:25 -0400 Content-Length: 891 Message-ID: X-Mailer: XFMail 1.4.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Thu, 27 Apr 2000 16:06:18 -0400 (EDT) Reply-To: Mike Heffner From: Mike Heffner To: FreeBSD-audit Subject: a website framework? Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, While trying to learn some PHP and mysql for interest, I've created a possible framework for an audit project website. The site's at: http://muriel.penguinpowered.com The site allows the auditing of a codebase, e.g. the Freebsd source, without having to insert audit tags into the src files, but rather keep them in a database; If anyone wants to use the design to create an -audit website, let me know and I'll let you have all the scripts. P.S. The above address is a DynIP host, but my address is a rather static dhcp address so there shouldn't be any problems, I'll try to keep the name pointing to the correct IP. -Later /**************************************** * Mike Heffner * * Fredericksburg, VA ICQ# 882073 * * Sent at: 27-Apr-2000 -- 15:59:23 EST * * http://my.ispchannel.com/~mheffner * ****************************************/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Apr 28 14: 8:25 2000 Delivered-To: freebsd-audit@freebsd.org Received: from MailAndNews.com (MailAndNews.com [199.29.68.160]) by hub.freebsd.org (Postfix) with ESMTP id 548CB37B66F for ; Fri, 28 Apr 2000 14:08:22 -0700 (PDT) (envelope-from mheffner@mailandnews.com) Received: from muriel.penguinpowered.com [208.138.199.76] (mheffner@mailandnews.com); Fri, 28 Apr 2000 17:08:07 -0400 X-WM-Posted-At: MailAndNews.com; Fri, 28 Apr 00 17:08:07 -0400 Content-Length: 607 Message-ID: X-Mailer: XFMail 1.4.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Fri, 28 Apr 2000 17:06:55 -0400 (EDT) Reply-To: Mike Heffner From: Mike Heffner To: Mike Heffner Subject: RE: a website framework? Cc: FreeBSD-audit Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 27-Apr-2000 Mike Heffner wrote: | Hi, | | While trying to learn some PHP and mysql for interest, I've created a | possible | framework for an audit project website. The site's at: | | http://muriel.penguinpowered.com | ... I screwed something up in the config file, if you were trying to connect before but couldn't, please try again. /**************************************** * Mike Heffner * * Fredericksburg, VA ICQ# 882073 * * Sent at: 28-Apr-2000 -- 16:51:45 EST * * http://my.ispchannel.com/~mheffner * ****************************************/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Apr 28 17:47:28 2000 Delivered-To: freebsd-audit@freebsd.org Received: from alcanet.com.au (mail.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id 49F0337B91F; Fri, 28 Apr 2000 17:47:24 -0700 (PDT) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <115206>; Sat, 29 Apr 2000 10:47:51 +1000 From: Peter Jeremy Subject: Re: libmytinfo In-reply-to: ; from kris@FreeBSD.ORG on Wed, Apr 26, 2000 at 04:25:29PM +1000 To: Kris Kennaway Cc: audit@FreeBSD.ORG Message-Id: <00Apr29.104751est.115206@border.alcanet.com.au> MIME-version: 1.0 X-Mailer: Mutt 1.0i Content-type: text/plain; charset=us-ascii References: Date: Sat, 29 Apr 2000 10:47:49 +1000 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Apr 26, 2000 at 04:25:29PM +1000, Kris Kennaway wrote: >We need to do a thorough audit of libncurses, libmytinfo, libtermcap, and >libcurses in 3.X, as well as 4.0. 3.X and 4.X have different versions of >ncurses (the 3.X version is positively ancient), Unless there were API changes, why not just audit the newer version and just MFC it back to 3.x? Auditing the old code is probably going to be more time consuming than working around the differences. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Apr 29 12:55:10 2000 Delivered-To: freebsd-audit@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id BC60C37B5E3; Sat, 29 Apr 2000 12:55:08 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id MAA17782; Sat, 29 Apr 2000 12:55:08 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Sat, 29 Apr 2000 12:55:08 -0700 (PDT) From: Kris Kennaway To: Peter Jeremy Cc: audit@FreeBSD.ORG Subject: Re: libmytinfo In-Reply-To: <00Apr29.104751est.115206@border.alcanet.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 29 Apr 2000, Peter Jeremy wrote: > Unless there were API changes, why not just audit the newer version > and just MFC it back to 3.x? Auditing the old code is probably going > to be more time consuming than working around the differences. I understand from Peter Wemm that there are significant API changes in later versions, together with significant local hacks which would make this a nightmare (libmytinfo itself being one such hack, I think). IMO, we'll either need to upgrade to a later version and break backwards-compatability, or stick with the one we have now and audit it. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message