On Fri, Jul 17, 2015 at 06:48:31PM -0600, Theo de Raadt wrote:
> > my perspective is: absent clear knowledge of what programs are doing,
> > attempts
> > to second guess them in a library function are perilous. let us be standards
> > compliant, and then at least any resulting holes are clearly th
> The only objection I can see is something stupid that does not check
> the error condition, derefs NULL, drops a core file in an insecure
> place, and therefore leaks information.
>
> To my mind this is a buggy program, combined with an insecure configuration,
> and we shouldn't be trying to sav
> my perspective is: absent clear knowledge of what programs are doing, attempts
> to second guess them in a library function are perilous. let us be standards
> compliant, and then at least any resulting holes are clearly the program's
> fault.
such programs always deference the pointer.
So I ag
Stuart Henderson wrote:
> On 2015/07/17 20:24, Ted Unangst wrote:
> > Jeremy Evans wrote:
> > > As an aside, crypt("passwd", "$2") returns ":" instead of NULL. I'm not
> > > sure if that's a security issue, but I think it is and we should fix it.
> > > I'll see if I can get a patch for that and se
> Ted Unangst wrote:
> > Jeremy Evans wrote:
> > > As an aside, crypt("passwd", "$2") returns ":" instead of NULL. I'm not
> > > sure if that's a security issue, but I think it is and we should fix it.
> > > I'll see if I can get a patch for that and send it to tech@.
> >
> > This is a weird edge
Ted Unangst wrote:
> Jeremy Evans wrote:
> > As an aside, crypt("passwd", "$2") returns ":" instead of NULL. I'm not
> > sure if that's a security issue, but I think it is and we should fix it.
> > I'll see if I can get a patch for that and send it to tech@.
>
> This is a weird edge case where ni
