[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

URGENT: DON'T USE 2.0B3 - SECURITY ISSUES! (was: [leafnode-list] [ANNOUNCE] First Leafnode-2.0 beta version)

To: leafnode-list@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: URGENT: DON'T USE 2.0B3 - SECURITY ISSUES! (was: [leafnode-list] [ANNOUNCE] First Leafnode-2.0 beta version)
From: Matthias Andree <ma@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: by mail-ob (mbox horst.fischer)(with Cubic Circle's cucipop (v1.31 1998/05/13) Fri Oct 27 19:36:42 2000)

krasel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx (Cornelius Krasel) writes:

> 2.0b3 will contain the following crude hack:

Don't do that. Revoke that version immediately. Have it fail on systems
without vsnprintf rather than introduce bugs like this.

I'm NOT bugfixing leafnode's 1.9 version for stability so you can
introduce DELIBERATE security problems in 2.0b. Beta here, beta there,
you forget to revoke those functions.

I'm going to announce this problem and that it has been a deliberate
decision on Bugtraq unless you revoke and make unavailable that version
by 2000-10-27 22:00 Z (that's tonight at midnight local time).

> #ifndef HAVE_VSNPRINTF
> /*
>  * very poor replacement for vsnprintf(), only made to make Leafnode
>  * compile on OSF1. Prone to buffer overflows.
>  */
> int vsnprintf( char *str, size_t n, const char *format, va_list ap ) {
>     return( vsprintf( str, format, ap ) );
> }
> #endif /* HAVE_VSNPRINTF */

> More elegant would be a real replacement similar to the snprintf()
> replacement in miscutil.c.

Not "more elegant", but an ABSOLUTE REQUIREMENT. 

Portability MUST NOT come prior to stability and security. 

IF you can't fix THAT place, fix the other place: get rid of vsnprintf.

varargs is not something used in stable and maintainable programs since
varargs subvert prototype checking.

Thus: don't try by all means to get replacements for such functions, but
rather write SIMPLER functions that do the job. MUCH less error prone,
smaller code and so on.

I'll happily help out getting rid of security problems and audit the
source for further security issues, but before that can happen, the
entire coding style must change. 

You're bloating, you're currently collecting bad solutions to add rather
than getting rid of functions that pose portability or security
difficulties. A security audit would quickly be overridden by a patch
like an added vsnprintf replacement.

I believe leafnode can improve its stability and portable by getting rid
of the functions mentioned above, while maintaining or improving user
friendlyness.

I also urge you to ditch the entire getaline crap unless it passes the
six checks that 1.9.17ma3 comes with. Use mine instead. I'll happily
help out fixing the rest of leafnode in favor of a solid and fast
buffering I/O library (that I might even write for that purpose), since
the current stdio stream I/O stuff *SUCKS* for our purposes.

Leafnode 1.9 is quite instable and not as solid as it could be, 2.0
should not only introduce local groups, but also fix the remaining
stability issues. (better release it as 1.50 otherwise so people know
it's an intermediate tree).

May I ask you to set up a CVS server or move that project to
sourceforge.net (you could still mirror the files and home page at
Würzburg University for quick DFN access)?

-- 
Matthias Andree

-- 
leafnode-list@xxxxxxxxxxxxxxxxxxxxxxxxxxxx -- mailing list for leafnode
To unsubscribe, send mail with "unsubscribe" in the subject to the list

References:
- Re: [leafnode-list] [ANNOUNCE] First Leafnode-2.0 beta version
  - From: Cornelius Krasel

Prev by Date: Re: [leafnode-list] [ANNOUNCE] First Leafnode-2.0 beta version
Next by Date: Re: [leafnode-list] [ANNOUNCE] First Leafnode-2.0 beta version
Previous by thread: Re: [leafnode-list] [ANNOUNCE] First Leafnode-2.0 beta version
Next by thread: Re: [leafnode-list] [ANNOUNCE] First Leafnode-2.0 beta version
Index(es):
- Date
- Thread