Date: Tue, 03 Nov 1998 13:18:10 +0800 From: Peter Wemm <peter@netplex.com.au> To: Warner Losh <imp@village.org> Cc: Ollivier Robert <roberto@keltia.freenix.fr>, cvs-committers@FreeBSD.ORG Subject: Re: cvs commit: ports/security/ssh/patches patch-at patch-au patch-av Message-ID: <199811030518.NAA21906@spinner.netplex.com.au> In-Reply-To: Your message of "Mon, 02 Nov 1998 20:06:02 MST." <199811030306.UAA17913@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Warner Losh wrote: > In message <19981102200058.A4209@keltia.freenix.fr> Ollivier Robert writes: > : It must be noted that, although this patch is good, IBM has withdrawn its > : advisory and retracted. > > Yes. I noticed that as well. Given the history of logging functions > being used as vectors for attack, I think it wise to leave them in. Agreed. The main reason why it isn't a good generic patch is because a lot of systems still do not have snprintf and friends. However, since all the users of the ports tree do, it doesn't hurt to have extra safety belts. After all, if in spite of the trouble ssh goes to with limiting strings, we somehow managed to let a long string pass down from the callers, I'd rather now that it isn't going to break something. It's the same with qpopper.. They fixed the log message generation to limit the size of the lines rather than fix the sprintfs, but if they missed just one....... That's why I won't use qpopper any more, there are so many boundary cases where long strings are not null terminated etc. > Warner Cheers, -Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199811030518.NAA21906>