"Secure coding" audit checkers and Kerberos
ghudson at MIT.EDU
Wed Oct 15 17:43:44 EDT 2008
On Wed, 2008-10-15 at 16:23 -0500, John Hascall wrote:
> See https://BuildSecurityIn.us-cert.gov/daisy/bsi-rules/home/g1/838-BSI.html
1. Unspecified versions of snprintf() don't protect against buffer
overflows. (Possibly elaborated on by the next point; it's unclear.)
2. Old versions of Linux libc4 and "apparently" old HP systems use an
implementation with unspecified security issues.
3. The return value varies (so don't use it, or expect both semantics);
we know about that.
4. Unspecified versions don't guarantee that the result is terminated.
There is one reference, which is a broken link. Except for the return
value issue, this is pretty much all FUD. The only implementations
actually cited are too old to worry about.
More information about the krbdev