"Secure coding" audit checkers and Kerberos

Greg Hudson ghudson at MIT.EDU
Wed Oct 15 17:43:44 EDT 2008

On Wed, 2008-10-15 at 16:23 -0500, John Hascall wrote:
> See https://BuildSecurityIn.us-cert.gov/daisy/bsi-rules/home/g1/838-BSI.html

This says:

1. Unspecified versions of snprintf() don't protect against buffer
overflows.  (Possibly elaborated on by the next point; it's unclear.)
2. Old versions of Linux libc4 and "apparently" old HP systems use an
implementation with unspecified security issues.
3. The return value varies (so don't use it, or expect both semantics);
we know about that.
4. Unspecified versions don't guarantee that the result is terminated.

There is one reference, which is a broken link.  Except for the return
value issue, this is pretty much all FUD.  The only implementations
actually cited are too old to worry about.

More information about the krbdev mailing list