Re: [Full-Disclosure] SRT2003-05-08-1137 - ListProc mailing list ULISTPROC_UMASK overflow

From: Larry W. Cashdollar (lwc_at_vapid.ath.cx)
Date: 05/09/03

Next message: morning_wood: "[Full-Disclosure] PowerLink™ WAN Aggregator - Vunerability"

Previous message: Ron DuFresne: "Re: [Full-Disclosure] Hotmail & Passport (.NET Accounts)"
In reply to: Shawn McMahon: "Re: [Full-Disclosure] SRT2003-05-08-1137 - ListProc mailing list ULISTPROC_UMASK overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <full-disclosure@lists.netsys.com>
Date: Fri, 9 May 2003 12:31:55 -0400 (EDT)

Maybe a better response would have been to test/patch yourself?

It's actually not worth it, catmail has about 9 strcpy()'s. That's not
including the libraries it links too. Which are riddled with them...

gcc -fwritable-strings -I/tmp/bleh -ggdb -O -o catmail catmail.o
/tmp/bleh/lplib/liblplib.a /tmp/bleh/send/libsend.a
/tmp/bleh/objects/libobjects.a /tmp/bleh/lputil/liblputil.a
/tmp/bleh/port/liblpport.a -lnsl -lm -L/tmp/bleh/../../dbm -llpdb

for starters:

[root@mozzarella lplib]# grep -c strcpy *.c
config_file.c:0
file_list.c:1
fio.c:0
lpalias.c:1
lpglobals.c:0
lprevdbm.c:0
misc.c:53
newmail.c:0
sender.c:26
signals.c:0
silp.c:8

[root@mozzarella lputil]# grep -c strcpy *.c
lpconfig.c:0
lpcounter_file.c:0
lpdir.c:0
lperrmsg.c:0
lpexec.c:0
lpexit.c:0
lpfile.c:0
lpinit.c:1
lplock.c:0
lplog.c:1
lpmd5.c:0
lpregex.c:0
lpsetuid.c:0
lpsig.c:0
lpstring.c:0
lpsyslib.c:1
lptypes.c:0
mailrfc.c:0
md5c.c:0
plist.c:0
regerror.c:1
regex.c:4
regex_new.c:4
regexp.c:1
regsub.c:0
string_table.c:0

It's better to just move on to new software.

On Fri, 9 May 2003, Shawn McMahon wrote:

> Huh? They can't come up with a Linux box with enough HD space to store
> the source code? What, does the company use PCs in their school library
> to do all their Important Security Consultant Work?
>
> Never mind, I just looked at their website. Maybe they truly DON'T have
> any Linux or other UNIX boxes.
>
>
> --
> Shawn McMahon | Let every nation know, whether it wishes us well or ill,
> EIV Consulting | that we shall pay any price, bear any burden, meet any
> UNIX and Linux | hardship, support any friend, oppose any foe, to assure
> http://www.eiv.com| the survival and the success of liberty. - JFK
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: morning_wood: "[Full-Disclosure] PowerLink™ WAN Aggregator - Vunerability"

Previous message: Ron DuFresne: "Re: [Full-Disclosure] Hotmail & Passport (.NET Accounts)"
In reply to: Shawn McMahon: "Re: [Full-Disclosure] SRT2003-05-08-1137 - ListProc mailing list ULISTPROC_UMASK overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]