"Thomas Kurschel" <topi...@gmx.net> writes: > In FreeBSD 12.0, basename(3) was changed to be POSIX compliant. This > implies that the function can possibly write to the passed > string. Actually, basename always writes to the passed string under > FreeBSD 12.0.
> rssh passes a const string, so it always crashes on invocation. > Attached is a patch that makes a copy of the string first and passes it > instead. > Could you please apply it? Hi Thomas, rssh is no longer maintained. The blacklist approach that it uses to unsafe arguments to the various commands it tries to protect has proven too fragile in practice, and even crafting a whitelist is quite challenging given how complicated, and undocumented, the server mode for many commands is. On top of that, OpenSSH tends to add new features that cause other security problems. I'm going to be pulling it from Debian before the next stable release, and would recommend that others who use it move away from it. Sadly, there isn't a great replacement -- the problem that it's trying to solve is quite hard. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> _______________________________________________ rssh-discuss mailing list rssh-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rssh-discuss
