On Wed, Nov 27, 2013 at 16:47, Francisco de Borja Lopez Rio wrote: > Ok. Probably I need to understand first what "an unsafe use" of it means, as > mentioned in Security Recommendations in the porting page: > > http://www.openbsd.org/porting.html#Security
1. I don't think strcmp belongs in that last. strcmp only reads data. If that's a problem, then the buffer overflow has already occurred. 2. I honestly don't understand what half of those issues are or how we could possibly fix all the ports to avoid them. I think they're mostly talking about setuid programs, but some of the bullet points forget to mention that fact. "Beware the dynamic loader"? Are people actually auditing every library to make sure it calls issetugid? Maybe I'm just out of touch with how porting really works.
