On Wed, Jan 09, 2008 at 11:49:58AM -0000, Rob Epping wrote: > Hi Simon, > > Due to restrictive SMTP settings on the host running heartbeat > the original sender was invalid. This is changed now in BTS.
Thanks. > Simon Horman wrote: > > On Tue, Jan 08, 2008 at 08:05:28PM +0000, Systeem Beheerder wrote: > [SNIP] > >> Marked important as I see some sting defined with length 64 in > >> lib/plugins/HBauth/sha1.c and AFAIK this could be used for buffer > >> overflow attacks. > [SNIP] > > I'm not sure that it will have any sevurity implications, > > if the code in question only takes input from authkeys, > > then that input can only be provided as root. > > The authkeys file could get overwritten using for example an tmpfile > creation error. I'm sure this will not be easy, but still..... I'm not sure that particular vector of attack would work as heartbeat does check the permisions and ownership of authkeys before loading it, but I do agree that having buffer overflows in code that runs as root is not a good thing. > > But this certainly does warrant further investigation. > > Thanks. Took me a while before I found out why heartbeat would not work > with my (very long) sha1-key. > The segfault line in syslog is one of many. I feel your pain. Malfunctioning code is rarely fun. -- Horms -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
