From kragen@dnaco.net Fri Jul 31 23:09:58 1998 Date: Fri, 31 Jul 1998 23:09:57 -0400 (EDT) From: Kragen To: systalk@ml.org Subject: Re: [ST] CNN - Security gap found in e-mail programs, In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Keywords: X-UID: 940 Status: O X-Status: On Fri, 31 Jul 1998, Mark Symonds wrote: > Apparently the Unices aren't affected? Wrong. Netscape on Unix is affected. > Should I feel safe running pine? No, Pine has buffer-overflow holes in it too. You should feel safe running pine if you recompile it with a bounds-checking compiler: The first work I know of on bounds-checking for gcc was done by Richard W. M. Jones and Paul Kelly, and is at http://www.doc.ic.ac.uk/~phjk/BoundsChecking.html Greg McGary did some other work. Announcement: http://www.cygnus.com/ml/egcs/1998-May/0073.html Richard Jones and Herman ten Brugge did other work. Announcement: http://www.cygnus.com/ml/egcs/1998-May/0557.html Greg compares different approaches in http://www.cygnus.com/ml/egcs/1998-May/0559.html You also might feel safe if you were running pine on Solaris under Janus, so that the damage done by a buffer-overflow would be limited to reading and screwing up your mail: http://www.cs.berkeley.edu/~daw/janus/ Mr. Wagner is currently thinking about porting Janus to Linux (well, he actually has a working port, but doesn't like it much). The needed modifications to the kernel would be relatively small. Kragen (spreading the security religion)