lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20030509122041.E50892-100000@vapid.ath.cx>
From: lwc at vapid.ath.cx (Larry W. Cashdollar)
Subject: SRT2003-05-08-1137 - ListProc mailing list
 ULISTPROC_UMASK overflow


Maybe a better response would have been to test/patch yourself?

It's actually not worth it, catmail has about 9 strcpy()'s.  That's not
including the libraries it links too.  Which are riddled with them...

gcc -fwritable-strings -I/tmp/bleh -ggdb -O -o catmail catmail.o
/tmp/bleh/lplib/liblplib.a /tmp/bleh/send/libsend.a
/tmp/bleh/objects/libobjects.a /tmp/bleh/lputil/liblputil.a
/tmp/bleh/port/liblpport.a  -lnsl -lm -L/tmp/bleh/../../dbm -llpdb

for starters:

[root@...zarella lplib]# grep -c strcpy *.c
config_file.c:0
file_list.c:1
fio.c:0
lpalias.c:1
lpglobals.c:0
lprevdbm.c:0
misc.c:53
newmail.c:0
sender.c:26
signals.c:0
silp.c:8

[root@...zarella lputil]# grep -c strcpy *.c
lpconfig.c:0
lpcounter_file.c:0
lpdir.c:0
lperrmsg.c:0
lpexec.c:0
lpexit.c:0
lpfile.c:0
lpinit.c:1
lplock.c:0
lplog.c:1
lpmd5.c:0
lpregex.c:0
lpsetuid.c:0
lpsig.c:0
lpstring.c:0
lpsyslib.c:1
lptypes.c:0
mailrfc.c:0
md5c.c:0
plist.c:0
regerror.c:1
regex.c:4
regex_new.c:4
regexp.c:1
regsub.c:0
string_table.c:0

It's better to just move on to new software.


On Fri, 9 May 2003, Shawn McMahon wrote:

> Huh?  They can't come up with a Linux box with enough HD space to store
> the source code?  What, does the company use PCs in their school library
> to do all their Important Security Consultant Work?
>
> Never mind, I just looked at their website.  Maybe they truly DON'T have
> any Linux or other UNIX boxes.
>
>
> --
> Shawn McMahon     | Let every nation know, whether it wishes us well or ill,
> EIV Consulting    | that we shall pay any price, bear any burden, meet any
> UNIX and Linux	  | hardship, support any friend, oppose any foe, to assure
> http://www.eiv.com| the survival and the success of liberty. - JFK
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ