[Mod: FYI - i have not looked at it yet. I am not going to approve anything
on this topic until someone from redhat comments on it or until someone
really goes though the code -- alex]
[Mod: ewt@redhat.com and marc@redhat.com added to the Cc: list -- alex]
Hi there
I saw there was a new redhat vixie-cron available (vixie-cron-3.0.1-19.src.rpm,
dated Nov 10), and given the number of buffer overruns I''ve seen this
year
in everything, I downloaded it to have a look. It looks very similar to the
one I was running (cron-3.0pl1), so I dug deeper... They both still appear
to use sprintf instead of snprintf''s everywhere!
I went back through my old BUGTRAQ/Linux Security mail messages of the
past year, and there were several pointing out sprintf problems in cron
back in Dec last year. Sure enough, none of those had shown up in the
"newer" crons!
I have patched them into my current cron now, but can someone tell me why
is it still like this? Surely all new cron* distributions should have such
holes fixed by now?
Cheers
--
Jason Haar, Unix/Networking Specialist, Trimble Navigation New Zealand
Phone: +64 3 3391377 Fax: +64 3 3391417
