From owner-freebsd-hackers Tue Feb 11 06:19:44 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id GAA21863 for hackers-outgoing; Tue, 11 Feb 1997 06:19:44 -0800 (PST) Received: from burka.carrier.kiev.ua (snar@burka.carrier.kiev.ua [193.193.193.100]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA21851 for ; Tue, 11 Feb 1997 06:19:32 -0800 (PST) Received: (from snar@localhost) by burka.carrier.kiev.ua (8.8.4/8.who.cares.1) id QAA06995; Tue, 11 Feb 1997 16:18:20 +0200 (EET) From: Alexander Snarskii Message-Id: <199702111418.QAA06995@burka.carrier.kiev.ua> Subject: Re: Increasing overall security.... To: michaelh@cet.co.jp (Michael Hancock) Date: Tue, 11 Feb 1997 16:18:19 +0200 (EET) Cc: freebsd-hackers@freebsd.org In-Reply-To: from "Michael Hancock" at Feb 11, 97 08:36:47 am Content-type: text/plain; charset=koi8-r X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > Last reason: > > Look to the /usr/src/lib/libc/stdio/gets.c - you'll see > > the warning about this function, which are printed everytime, > > when working programm calls this function first time. > > gets shouldn't be used at all. > > Warner Losh (imp) is committing Theos' buffer overflow fixes to all > exploitable or likely exploitable cases. To all exploitable or likely exploitable cases in the _FreeBSD_ source tree, may be this is a more correct definition. But do Theo checks every new sendmail distribution ? Or did he checked all the FreeBSD packages/ports which can use this functions and have enough privileges to destroy your system if exploited? Or did anybody checks it and published patches to ones (if the holes are found) ? Well, i did'nt saw any security risk in using of qpopper, but i have'nt a time to check radius/tacacs+ daemons and so many other packages, which are installed on my computer, and my patches is 'fast-and-dirty way' to increase securityness of _all_ dynamically linked executables. Even without recompiling ones. Even without source code of ones. Well, no one wants it, so let it be. -- Alexander Snarskii the source code is included.