On Mon, 27 Nov 2000, Warner Losh wrote:

: Ah, but there are two problems here.  One is the buffer overflow
: problem, and the other is opening the wrong file problem.  You'll
: likely never completely solve the buffer overflow problem short of
: solving buffer overflows (which is an API change for many apis and a
: migration to the new save api, or interesting compiler tricks).

That's just not true.  Solving buffer overflows involves writing smarter
code.  Buffer overflows happen _exclusively_ because of programmer laziness.

It's really not that hard to see that strcat(), sprintf() (without size
limiters in the format), etc. are just not safe to use in any well-written
program, setuid or not.

-- 
-- Todd Vierling <tv@wasabisystems.com>  *  http://www.wasabisystems.com/
-- Speed, stability, security, and support.  Wasabi NetBSD:  Run with it.