[585] in WWW Security List Archive
No subject found in mail header
daemon@ATHENA.MIT.EDU (Patrick Horgan)
Thu Apr 13 18:19:40 1995
Date: Thu, 13 Apr 1995 11:33:08 +0800
From: patrick@oes.amdahl.com (Patrick Horgan)
To: www-security@ns2.rutgers.edu, Steff.Watkins@Bristol.ac.uk
Errors-To: owner-www-security@ns2.rutgers.edu
>
> Hello,
>
> forgive me if I seem a complete twonk but...
>
> a> Wouldn't it be easy(-ish) to either A> use some form of a malloc()
> assignment routine for "path" or B> make the definition of "path2 a lot
> bigger..
>
> OR
>
> b> put a limiter statemnet into the code ie.
>
> if (strlen(p) > SOME_VALUE)
> {
> /* put the rest of the code here */
> }
> else { /* Gibber gibber */}
Well, yes, but the point he's trying to make is that they haven't.
>
> Possible gibber.. not ALL the sprintf's and strcpy's in the C code files
> are to do with copying the pathname, and as such, they're NOT all going to
> cause this problem.
>
> Sorry.. just seems that you're being a bit alarmist here!!!
I don't see how you can draw that conclusion. He shows a hole that can be
used to run anything your want with whatever permission the daemon's running
with, (and unfortunately not everyone runs 'em nobody nobody,) and you say
he's alarmist? So what if not every case of bad coding in the daemon can
breach security...some can, and one's too many.
Patrick
_______________________________________________________________________
/ These opinions are mine, and not Amdahl's (except by coincidence;). \
| (\ |
| Patrick J. Horgan Amdahl Corporation \\ Have |
| patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword |
| Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will |
| FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel |
\___________________________O16-2294________________________\)__________/
