Full Disclosure mailing list archives
Re: EFC Released
From: Balwinder Singh <balwinder () gmx net>
Date: Sat, 06 Mar 2004 14:14:50 +0530
Although I appriciate ideas to enhance security concerning buffer overflows or format string bugs, i cannot understand why to find the following lines in etc_db_new.c including your package: <snip> char pwd[MAX_PATH_LEN]; ... i = 0; while((ch = fgetc(strace_file)) != '\0') { pwd[i] = ch; i++; } ... </snip> Haven't found any made borders. And yes, due to its permissions it won't let people become root ... it is just a cosmetic failure. (hopefully) :) Moreover, and that is the actual reason for replying your mail ... I couldn't find the patch in $EFC_PATH/efc/ ... did I just download a non complete package?
Thanks for pointing out the problems. Both problems have been corrected in 1.0.2 version. Please get the newer version of EFC from sourceforge. Regards Bal _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- EFC Released Balwinder Singh (Mar 03)
- Re: EFC Released Timothy Demulder (Mar 04)
- Re: EFC Released Balwinder Singh (Mar 04)
- Re: EFC Released Klaus Moeller (Mar 04)
- Re: EFC Released Matthias Stiller (Mar 05)
- Re: EFC Released Balwinder Singh (Mar 06)
- <Possible follow-ups>
- RE: EFC Released Rainer Gerhards (Mar 04)
- Re: EFC Released Timothy Demulder (Mar 04)