Subject: Re: vixie-crontab vunerable?
To: John F. Woods <>
From: Perry E. Metzger <>
List: current-users
Date: 12/16/1996 16:02:54
"John F. Woods" writes:
> It would be my suspicion that warning versions of strcat et al would generate
> much more noise than signal, even worse than gets(), and blindly replacing
> them with counted versions is probably more troublesome, since many programs
> (for better or worse) embed strcat or strcpy in time-critical loops; many
> such programs have also taken the time to ensure that overflow situations
> will not happen.  (Of course, many have not, which is the problem.)

I think, however, that any SUID or daemon program that is not
performance critical should probably have all the string manipulators
converted over. I can't think of many that are performance critical --
so this means most of them.