OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
FreeBSD Security Archives: Re: delegate buffer overflow (ports)

Re: delegate buffer overflow (ports)

Subject: Re: delegate buffer overflow (ports)
From: Alfred Perlstein (brightwintelcom.net)
Date: Fri Jan 28 2000 - 03:37:51 CST

* Kris Kennaway <krishub.freebsd.org> [000128 01:26] wrote:
> On Fri, 28 Jan 2000, Masafumi NAKANE wrote:
>
> > Instead, I will make this port to ask the user if he/she really wants
> > to continue the installation with the security information at
> > ``pkg_add'', ``make pre-fetch'' and ``make install'' times. This
>
> Hmm. If this is along the lines of:
>
> **************************************
> ** WARNING!!! WARNING!!! WARNING!!! **
> **************************************
>
> THIS PORT CONTAINS KNOWN SECURITY HOLES WHICH ALLOW A REMOTE ATTACKER TO
> EASILY TAKE CONTROL OF YOUR MACHINE. YOU INSTALL THIS PORT AT YOUR OWN
> RISK!! DON'T COME CRYING TO US IF YOU GET ROOTED BECAUSE OF INSTALLING
> THIS PORT.
>
> Do you want hackers to be able to take remote control of your
> machine? (y/N):
>
> then I guess I have no problem with it :-)
>
> Kris

Actually something _like_ this would do a couple of good things:

a) make it known to the authors that we know thier program is
   a security hazard
b) provide a common error message instead of multiple variations of
   FORBIDDEN making it harder to identify such ports, marking it
   insecure via INSECURE would be interesting allowing a comment
   possibly containing a pointer to the advisory or email thread
   that got it marked so.

example:
INSECURE= http://docs.freebsd.org/cgi/getmsg.cgi?fetch=407538+0+current/freebsd-bugs

What do you think of this?

-Alfred

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

This archive was generated by hypermail 2b27 : Fri Jan 28 2000 - 03:29:42 CST