Mail Archives: cygwin/2001/06/21/15:40:34
On Wed, Jun 20, 2001 at 04:27:37PM -0400, David A. Cobb wrote:
>At 6/18/01 06:12 AM (Monday), Alois Steindl wrote:
>>On Sat, 16 Jun 2001 23:29:36 -0400,
>>Christopher Faylor <cgf at redhat dot com> wrote:
>>
>>>Looking at the entry that is in termcap for linux, I don't see any way
>>>around this. I did compare it against the entry from Red Hat and I see
>>>that they just squeak in under 1024.
>>
>>
>>I get 1042 for linux and 1034 for cygwin
>>
>>
>>>I compared the two and obviously the Cygwin version does have more "stuff"
>>>but I don't think that any of it is obviously wrong. So, the trivial
>>>fix for this is to increase the size of your buffer. I suspect that this
>>>is what most applications who use termcap had already done years ago.
>>the problem is, that the length 1024 is cited in the man page. Violating this
>>
>>constrained _is_ a bug and not "my alleged cygwin problem", as you stated
>>in your email. As I wrote in my first message, the problem disappears if I
>>increase this buffer or avoid termcap at all.
>>Increasing the limit silently (quite likely accidently) can break a lot of
>>existing programs - like e.g. fweb - , even if it were documented in the
>>man page. Buffer overflow is a major source of programming problems. Let's
>>hope that this kind of errors is not growing in the Red Hat programs,
>>since I use Linux Red Hat much more frequently than cygwin.
>
>[cgf:] To say nothing of security breaches. I've had 3 BugTraq notices in
>2 days about buffer overrun exploits in code that we include with Cygwin.
Please don't use cygwin if you are expecting a secure environment.
However, if you do have patches to rectify security problems, we will, of
course accept them.
termcap is a buffer overrun waiting to happen anyway, since the user can
easily specify their own termcap settings.
cgf
--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple
- Raw text -