search for: catopen

-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:53 Security Advisory FreeBSD, Inc. Topic: catopen() may pose security risk for third party code Category: core Module: libc Announced: 2000-09-27 Affects: FreeBSD 5.0-CURRENT, 4.x and 3.x prior to the correction date. Corrected: Problem 1: 2000-08-06 (FreeBSD 5.0-CURRENT) 2000-08-22 (FreeB...

...re glibc malloc's space shared between all threads for returning "Unknown error -1", and which could get corrupted by a parallel thread doing strerror(-2)). But FreeBSD shares static storage for strerror() results among all threads, in part because it computes the resulting string via catopen()/catgets()/catclose() and MUST copy the localized string somewhere because the source read via catgets() may not survive catclose(). So we really need to audit all use of sterror() in nbdkit and switch over to strerror_r(), remembering to work around the alternate glibc signature when _GNU_SOURCE...

...9;\0'') *name = (char *) _nl_C_name; } --- libc-5.4.44/libc/nls/msgcat.c.secenv Thu Aug 28 04:59:19 1997 +++ libc-5.4.44/libc/nls/msgcat.c Sat May 16 16:45:42 1998 @@ -124,6 +124,8 @@ #include <sys/mman.h> #endif +extern char *__libc_secure_getenv(const char *); + nl_catd catopen( const char *name, int type ) { @@ -141,13 +143,13 @@ if (stat(catpath, &sbuf)) return(NLERR); } else { #if BROKEN_SETLOCALE - if ((lang = (char *) getenv ("LANG")) == NULL) lang = "C"; + if ((lang = (char *) __libc_secure_getenv ("LANG")) == NULL) lang =...

Our use of "%m" in various error messages is testament to the project's initial life on Linux - but other than Cygwin, I know of no other platforms supporting that glibc extension. We COULD audit the code and manually turn "%m" into "%s"/strerror(errno), but that's a lot of churn. Instead, let's fix the few outliers that can't be easily wrapped, then

This was posted not too long ago on sci.crypt... Enjoy... I think the most relevant information is near the top, but it''s all quite good... :-) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- There is no intrinsic difference between algorithm and data, the same information can be viewed as data in one context and as algorithm in another. Why then do so many people claim that encryption algorithms