Re: How to write a secure C program..
"SDiZ Cheng" <[EMAIL PROTECTED]> writes: > Are there any known buffer overflow problem in perl functions? Perl inherits some problems of the hosting environment, for example buffer overflows in syslog(). Apart from that, there are no known buffer overflow issues, but code injection attacks are still possible with improperly written code. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Re: How to write a secure C program..
"SDiZ Cheng" <[EMAIL PROTECTED]> writes: > Are there any known buffer overflow problem in perl functions? Perl inherits some problems of the hosting environment, for example buffer overflows in syslog(). Apart from that, there are no known buffer overflow issues, but code injection attacks are still possible with improperly written code. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How to write a secure C program..
On Tue, Jul 03, 2001 at 04:20:53PM +0400, Ilya Martynov wrote: > AFAIK there is no known buffer overflow problem in perl functions. It > is a very good idea to use tainted mode for Perl programs which should > be run in dangerous environment. Check 'man perlsec' for more info. Also read Phrack #55, art. 7 -- available at www.phrack.org. Anyone using perl for anything vaguely secure should read this NOW if they haven't already. And think about all the other possibilities, too... -- Nick Phillips -- [EMAIL PROTECTED] It's lucky you're going so slowly, because you're going in the wrong direction.
Re: How to write a secure C program..
SC> Just as an additional question: SC> Are there any known buffer overflow problem in perl functions? SC> Coz I am writing another program in perl which will, too, run as SC> root and listen to TCP socket with SSL. AFAIK there is no known buffer overflow problem in perl functions. It is a very good idea to use tainted mode for Perl programs which should be run in dangerous environment. Check 'man perlsec' for more info. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | Ilya Martynov (http://martynov.org/)| | GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80 E4AE BE1A 53EB 323B DEE6 | | AGAVA Software Company (http://www.agava.com/) | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Re: How to write a secure C program..
SC> Just as an additional question: SC> Are there any known buffer overflow problem in perl functions? SC> Coz I am writing another program in perl which will, too, run as SC> root and listen to TCP socket with SSL. AFAIK there is no known buffer overflow problem in perl functions. It is a very good idea to use tainted mode for Perl programs which should be run in dangerous environment. Check 'man perlsec' for more info. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | Ilya Martynov (http://martynov.org/)| | GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80 E4AE BE1A 53EB 323B DEE6 | | AGAVA Software Company (http://www.agava.com/) | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How to write a secure C program..
Just as an additional question: Are there any known buffer overflow problem in perl functions? Coz I am writing another program in perl which will, too, run as root and listen to TCP socket with SSL.
Re: How to write a secure C program..
> Besides not passing those arguments to printf( ), what C/C++ > function(s) I should take extra care while using? All of them. No, seriously. Paul Haesler [EMAIL PROTECTED] icq: 74142604 "We are the Steely-Pips and we have no fear, no spats in our vats, no rules, no schools, no gloom, no evil influence of the moon, for we have a machine, a dream of a machine, with springs and gears and perfect in every respect." Stanislaw Lem, The Cyberiad (Trurl's Prescription)
Re: How to write a secure C program..
Lukas Ruf wrote on Tue Jul 03, 2001 at 10:34:44AM: > On Tue, 03 Jul 2001, SDiZ Cheng wrote: > > > I am going to rewrite suexec.c of apache ( to suit my boss's need ). > > As this program is SUID, I don't want to make any mistake. > > > Are you really sure you wanna do that? If so, there is a HOWTO out there that he might me interested in: http://www.dwheeler.com/secure-programs> Matthias pgpfN45OE14Gm.pgp Description: PGP signature
Re: How to write a secure C program..
On Tue, 03 Jul 2001, SDiZ Cheng wrote: > I am going to rewrite suexec.c of apache ( to suit my boss's need ). > As this program is SUID, I don't want to make any mistake. > Are you really sure you wanna do that? As this program runs as SUID, the programmers put really a lot of emphasize onto correctness! I think it would be hard for you to do a job as good as the officially distributed program. As it is distributed in soure code, you should rather review the code and check whether you could find any inconsistencies/errors/bugs. --lpr
How to write a secure C program..
I am going to rewrite suexec.c of apache ( to suit my boss's need ). As this program is SUID, I don't want to make any mistake. Besides not passing those arguments to printf( ), what C/C++ function(s) I should take extra care while using? -- Cheng Yuk Pong (SDiZ) 4096/1024 DH/DSS 0xA4C6FAD3 FE28 E6D4 AD21 5D4F F07B EEA6 3C88 5DBB A4C6 FAD3
Re: How to write a secure C program..
Just as an additional question: Are there any known buffer overflow problem in perl functions? Coz I am writing another program in perl which will, too, run as root and listen to TCP socket with SSL. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How to write a secure C program..
> Besides not passing those arguments to printf( ), what C/C++ > function(s) I should take extra care while using? All of them. No, seriously. Paul Haesler [EMAIL PROTECTED] icq: 74142604 "We are the Steely-Pips and we have no fear, no spats in our vats, no rules, no schools, no gloom, no evil influence of the moon, for we have a machine, a dream of a machine, with springs and gears and perfect in every respect." Stanislaw Lem, The Cyberiad (Trurl's Prescription) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How to write a secure C program..
Lukas Ruf wrote on Tue Jul 03, 2001 at 10:34:44AM: > On Tue, 03 Jul 2001, SDiZ Cheng wrote: > > > I am going to rewrite suexec.c of apache ( to suit my boss's need ). > > As this program is SUID, I don't want to make any mistake. > > > Are you really sure you wanna do that? If so, there is a HOWTO out there that he might me interested in: http://www.dwheeler.com/secure-programs> Matthias PGP signature
Re: How to write a secure C program..
On Tue, 03 Jul 2001, SDiZ Cheng wrote: > I am going to rewrite suexec.c of apache ( to suit my boss's need ). > As this program is SUID, I don't want to make any mistake. > Are you really sure you wanna do that? As this program runs as SUID, the programmers put really a lot of emphasize onto correctness! I think it would be hard for you to do a job as good as the officially distributed program. As it is distributed in soure code, you should rather review the code and check whether you could find any inconsistencies/errors/bugs. --lpr -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
How to write a secure C program..
I am going to rewrite suexec.c of apache ( to suit my boss's need ). As this program is SUID, I don't want to make any mistake. Besides not passing those arguments to printf( ), what C/C++ function(s) I should take extra care while using? -- Cheng Yuk Pong (SDiZ) 4096/1024 DH/DSS 0xA4C6FAD3 FE28 E6D4 AD21 5D4F F07B EEA6 3C88 5DBB A4C6 FAD3 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
