SecFix for databases/firebird, please review
Alexander Leidinger
Alexander at Leidinger.net
Mon Aug 18 04:19:01 PDT 2003
On Mon, 18 Aug 2003 11:57:08 +1000
"Chris Knight" <chris at e-easy.com.au> wrote:
> > This is bogus... this function should be rewritten so that it passes
> > in the size of the `string' argument. One can't just assume it is
> > MAXPATHLEN. Also, strlcat would be much nicer and safer here. If you
> > can't use strlcat, then one must explicitly NUL-terminate the buffer,
> > because strncat may fail to do so.
> >
> That's what I'm currently in the process of doing - passing in the
> size of the buffer to gds__prefix. It gets called with buffer
> lengths of 64, 100, 128, 256 and 1024.
Ugh... seems I've missed some calls...
> I'm probably going to have to use strncat to keep it a bit more
> portable.
That's the reason why I haven't used strlcat...
> > OK, I only looked at the first two patch files, but it is clear that
> > this should not be committed. IMHO, I also think this port _should_
> > be removed. But, if you decide to slog through it once more and
> > correct some of these problems, we'll be here for another look!
> >
> I don't particularly like it, but I'm inclined to agree with you - the
> port probably should go. I can always maintain the 1.0.x port outside
> of the FreeBSD Ports Tree and make it available on my Website with lots
> of warning labels. I'll get onto the Firebird 1.5 port pronto, which
We can add the warning labels also to the in tree port...
> should end this issue and put me out of my current misery.
And you're sure 1.5 is better in this regard?
Bye,
Alexander.
--
Give a man a fish and you feed him for a day;
teach him to use the Net and he won't bother you for weeks.
http://www.Leidinger.net Alexander @ Leidinger.net
GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7
More information about the freebsd-audit
mailing list