Subject: Re: vixie-crontab vunerable?
To: John F. Woods <firstname.lastname@example.org>
From: Perry E. Metzger <email@example.com>
Date: 12/16/1996 16:02:54
"John F. Woods" writes:
> It would be my suspicion that warning versions of strcat et al would generate
> much more noise than signal, even worse than gets(), and blindly replacing
> them with counted versions is probably more troublesome, since many programs
> (for better or worse) embed strcat or strcpy in time-critical loops; many
> such programs have also taken the time to ensure that overflow situations
> will not happen. (Of course, many have not, which is the problem.)
I think, however, that any SUID or daemon program that is not
performance critical should probably have all the string manipulators
converted over. I can't think of many that are performance critical --
so this means most of them.