[124205] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: The perils of security tools

daemon@ATHENA.MIT.EDU (Victor Duchovni)
Thu May 22 11:29:29 2008

Date: Tue, 13 May 2008 17:10:00 -0400
From: Victor Duchovni <Victor.Duchovni@morganstanley.com>
To: Cryptography <cryptography@metzdowd.com>
Mail-Followup-To: Cryptography <cryptography@metzdowd.com>
In-Reply-To: <48299355.3060904@links.org>

On Tue, May 13, 2008 at 02:10:45PM +0100, Ben Laurie wrote:

> [Moderator's note: A quick reminder: please use ASCII except if you
> need Unicode to spell your name right. Microsoft's proprietary quote
> marks are not a standard and don't look right on non-Microsoft
> displays. I edited them out of this by hand. --Perry]
> 
> Debian have a stunning example of how blindly fixing "problems" pointed 
> out by security tools can be disastrous.

Upstream authors can take defensive measures against ill-advised
patches of this sort. For a while, distributions were in the habit
of Patching the code that Postfix uses to learn the its own hostname.
Invariably, they botched it. The code now reads:

  /* get_hostname - look up my host name */

  const char *get_hostname(void)
  {
    char    namebuf[MAXHOSTNAMELEN + 1];

    /*
     * The gethostname() call is not (or not yet) in ANSI or POSIX, but it is
     * part of the socket interface library. We avoid the more politically-
     * correct uname() routine because that has no portable way of dealing
     * with long (FQDN) hostnames.
     *
     * DO NOT CALL GETHOSTBYNAME FROM THIS FUNCTION. IT BREAKS MAILDIR DELIVERY
     * AND OTHER THINGS WHEN THE MACHINE NAME IS NOT FOUND IN /ETC/HOSTS OR
     * CAUSES PROCESSES TO HANG WHEN THE NETWORK IS DISCONNECTED.
     *
     * POSTFIX NO LONGER NEEDS A FULLY QUALIFIED HOSTNAME. INSTEAD POSTFIX WILL
     * USE A DEFAULT DOMAIN NAME "LOCALDOMAIN".
     */
    if (my_host_name == 0) {
      /* DO NOT CALL GETHOSTBYNAME FROM THIS FUNCTION */
      if (gethostname(namebuf, sizeof(namebuf)) < 0)
	msg_fatal("gethostname: %m");
      namebuf[MAXHOSTNAMELEN] = 0;
      /* DO NOT CALL GETHOSTBYNAME FROM THIS FUNCTION */
      if (valid_hostname(namebuf, DO_GRIPE) == 0)
	msg_fatal("unable to use my own hostname");
      /* DO NOT CALL GETHOSTBYNAME FROM THIS FUNCTION */
      my_host_name = mystrdup(namebuf);
    }
    return (my_host_name);
  }

The addition of "/* DO NOT CALL GETHOSTBYNAME FROM THIS FUNCTION */"
every couple of lines appears to have solved the problem: it deliberately
breaks all prior patches (context diff overlaps), and strongly signals
that the code must not be messed with.

-- 
	Viktor.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post