Date: Tue, 11 Feb 1997 16:18:19 +0200 (EET) From: Alexander Snarskii <snar@lucky.net> To: michaelh@cet.co.jp (Michael Hancock) Cc: freebsd-hackers@freebsd.org Subject: Re: Increasing overall security.... Message-ID: <199702111418.QAA06995@burka.carrier.kiev.ua> In-Reply-To: <Pine.SV4.3.95.970211082337.25315G-100000@parkplace.cet.co.jp> from "Michael Hancock" at Feb 11, 97 08:36:47 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > > Last reason: > > Look to the /usr/src/lib/libc/stdio/gets.c - you'll see > > the warning about this function, which are printed everytime, > > when working programm calls this function first time. > > gets shouldn't be used at all. > > Warner Losh (imp) is committing Theos' buffer overflow fixes to all > exploitable or likely exploitable cases. To all exploitable or likely exploitable cases in the _FreeBSD_ source tree, may be this is a more correct definition. But do Theo checks every new sendmail distribution ? Or did he checked all the FreeBSD packages/ports which can use this functions and have enough privileges to destroy your system if exploited? Or did anybody checks it and published patches to ones (if the holes are found) ? Well, i did'nt saw any security risk in using of qpopper, but i have'nt a time to check radius/tacacs+ daemons and so many other packages, which are installed on my computer, and my patches is 'fast-and-dirty way' to increase securityness of _all_ dynamically linked executables. Even without recompiling ones. Even without source code of ones. Well, no one wants it, so let it be. -- Alexander Snarskii the source code is included.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702111418.QAA06995>