Re: EMERGENCY: new remote root exploit in UW imapd

[andre () PIPELINE CH (IBS / Andre Oppermann)]

Kragen wrote:
> On Sat, 18 Jul 1998, Niall Smart wrote:
> > The problem, as the original poster says, is that exercising option
> > 3 is currently too difficult.  The ANSI C string handling functions
> > are simply error prone.  With this in mind I begin about a month
> > ago on a project to create a string handling library which makes
> > buffer management significantly easier, while still maintaining an
> > acceptable level of efficiency and supporting common C programming
> > idioms.  There are other interfaces, such as file access which are
> > also error prone to a degree which I am also looking at.  I haven't
> > had the time to spend as much time on this project as I would have
> > liked but I should get it released before the end of the summer at
> > which time I'll post an announcement here.  The code will be under
> > a BSD style copyright.
>
> Dan Bernstein, who wrote qmail, has already done all of this.  He might
> be persuaded to let others use his library under a BSD-style copyright.
>
> qmail uses no standard C library functions, other than syscalls, if I
> remember correctly.

That is true, but he hasn't documented it very well, in fact you have
to look through and follow the function to see what is really does.

One interesting thing his string functions are doing is to put
everything
into a structure (string.s and string.len) and terminate it with 'Z'. If
you get the 'Z' somewhere in your output you've done something wrong...

You have to code specificlly for this so it's not a choice of use this
or that lib... but we have done some heavy hacking to qmail to integrate
LDAP and the nice 'Z' have been *very* useful to track coding errors
down.

--
Andre Oppermann

CEO / Geschaeftsfuehrer
Internet Business Solutions Ltd. (AG)
Hardstrasse 235, 8005 Zurich, Switzerland
Fon +41 1 277 75 75 / Fax +41 1 277 75 77
http://www.pipeline.ch    ibs () pipeline ch