Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Date: Thu, 21 Jun 2001 13:20:39 -0400
From: Christopher Faylor <cgf AT redhat DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: * Re: 1.1.8: Too large entry in termcap file
Message-ID: <20010621132039.K6318@redhat.com>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <3B2DD3F1 DOT 60805 AT mch2pc28 DOT mechanik DOT tuwien DOT ac DOT at> <5 DOT 1 DOT 0 DOT 14 DOT 0 DOT 20010620162323 DOT 00ac0510 AT mail>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.11i
In-Reply-To: <5.1.0.14.0.20010620162323.00ac0510@mail>; from superbiskit@home.com on Wed, Jun 20, 2001 at 04:27:37PM -0400

On Wed, Jun 20, 2001 at 04:27:37PM -0400, David A. Cobb wrote:
>At 6/18/01 06:12 AM (Monday), Alois Steindl wrote:
>>On Sat, 16 Jun 2001 23:29:36 -0400,
>>Christopher Faylor <cgf at redhat dot com> wrote:
>>
>>>Looking at the entry that is in termcap for linux, I don't see any way
>>>around this.  I did compare it against the entry from Red Hat and I see
>>>that they just squeak in under 1024.
>>
>>
>>I get 1042 for linux and 1034 for cygwin
>>
>>
>>>I compared the two and obviously the Cygwin version does have more "stuff"
>>>but I don't think that any of it is obviously wrong.  So, the trivial
>>>fix for this is to increase the size of your buffer.  I suspect that this
>>>is what most applications who use termcap had already done years ago.
>>the problem is, that the length 1024 is cited in the man page. Violating this
>>
>>constrained _is_ a bug and not "my alleged cygwin problem", as you stated 
>>in your email. As I wrote in my first message, the problem disappears if I 
>>increase this buffer or avoid termcap at all.
>>Increasing the limit silently (quite likely accidently) can break a lot of 
>>existing programs - like e.g. fweb - , even if it were documented in the 
>>man page. Buffer overflow is a major source of programming problems. Let's 
>>hope that this kind of errors is not growing in the Red Hat programs, 
>>since I use Linux Red Hat much more frequently than cygwin.
>
>[cgf:] To say nothing of security breaches.  I've had 3 BugTraq notices in 
>2 days about buffer overrun exploits in code that we include with Cygwin.

Please don't use cygwin if you are expecting a secure environment.

However, if you do have patches to rectify security problems, we will, of
course accept them.

termcap is a buffer overrun waiting to happen anyway, since the user can
easily specify their own termcap settings.


cgf

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple