John Galt wrote: > > On Wed, 21 Nov 2001, Guillaume Morin wrote: > > >Dans un message du 20 nov à 23:33, Anders Gjære écrivait : > >> > >> in gzip.c > >> > >> the line: > >> strcpy(nbuf,dir); > >> > >> should maybe be replaced with: > >> strncpy(nbuf, dir,sizeof(nbuf)); > > > >gzip runs with user privileges, therefore this is not a security > >problem. > > > > gzip is in vuln-dev for a buffer overflow in the argv handler. Debian is > apparently invulnerable, but it's a good thing to do everything we can to > figure out more bugs in the flavor-of-the-month exploit target before the > black hats do.
I second this. On thing I think is quite important is to get rid of calls to routines that it is possible to buffer overflow. OpenBSD has a "feature" in their version of gcc that will cause a compile time error message telling you when one of the standard library routines known to be overflowable is used. I'd love to see all open source software put through that chack. It dosen't need to be an error output, but atleast a warning would be good. At this point it needs to be switchable and not manditory. this is due to the volue of code that would need to be changed. -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen |
