Thanks! On 4/21/14, 12:29 PM, D Brashear wrote: > data off the wire never makes it there, so there should be no privilege > escalation. you may be able to crash something you ran yourself. > > we'll check it out, though. still not good, just not likely to have security > implications. > > and the krb5 options changes in configure. that page needs a refresh > > > On Mon, Apr 21, 2014 at 11:12 AM, Frederick Luehring <luehr...@indiana.edu > <mailto:luehr...@indiana.edu>> wrote: > > Hi Everyone, > > Since there has been certain amount of excitement about the > consequences > of buffer overflows in recent days, I would like to point a possible > problem I > discovered when following the instructions to compile open afs on Mac OS > X. I > guess you know of this but just in case, if follow the instructions at: > > http://www.openafs.org/macos.html > > it sets the enable-checking flag which almost immediately finds: > > gcc -Os -I/Users/luehring/openafs-1.6.6/src/config > -I/Users/luehring/openafs-1.6.6/include -I. -I. -Os -Wall > -Wstrict-prototypes -Wold-style-definition -Wpointer-arith -Wall > -Wstrict-prototypes -Wold-style-definition -Werror > -fdiagnostics-show-option > -Wpointer-arith -arch i386 -arch x86_64 -c cmd.c > cmd.c:46:30: error: the value of the size argument in 'strncat' is too > large, > might lead to a buffer overflow [-Werror,-Wstrncat-size] > strncat(tbuffer, a2, sizeof(tbuffer)); > ^~~~~~~~~~~~~~~ > cmd.c:46:30: note: change the argument to be the free space in the > destination > buffer minus the terminating null byte > strncat(tbuffer, a2, sizeof(tbuffer)); > ^~~~~~~~~~~~~~~ > sizeof(tbuffer) - strlen(tbuffer) - 1 > 1 error generated. > make[3]: *** [cmd.o] Error 1 > make[2]: *** [cmd] Error 2 > make[1]: *** [build] Error 2 > make: *** [all] Error 2 > > Those instructions also set "--with-krb5-conf=/usr/bin/krb5-config" which > seems to be unrecognized. I guess this is because kerberos version 4 is > completely dead and the flag is no longer needed. > > Fred > -- > Fred Luehring Indiana U. HEP mailto:luehr...@indiana.edu > <mailto:luehr...@indiana.edu> +1 812 855 1025 > <tel:%2B1%20812%20855%201025> IU > http://cern.ch/Fred.Luehring mailto:fred.luehr...@cern.ch > <mailto:fred.luehr...@cern.ch> +41 22 767 1166 > <tel:%2B41%2022%20767%201166> CERN > http://cern.ch/Fred.Luehring/Luehring_pub.asc +1 812 391 0225 > <tel:%2B1%20812%20391%200225> GSM > _______________________________________________ > OpenAFS-info mailing list > OpenAFS-info@openafs.org <mailto:OpenAFS-info@openafs.org> > https://lists.openafs.org/mailman/listinfo/openafs-info > > > > > -- > D
-- Fred Luehring Indiana U. HEP mailto:luehr...@indiana.edu +1 812 855 1025 IU http://cern.ch/Fred.Luehring mailto:fred.luehr...@cern.ch +41 22 767 1166 CERN http://cern.ch/Fred.Luehring/Luehring_pub.asc +1 812 391 0225 GSM _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info