[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [XBoard-devel] sending security patches
|
From: |
Tim Mann |
|
Subject: |
Re: [XBoard-devel] sending security patches |
|
Date: |
Sun, 4 Sep 2005 23:57:43 -0700 |
I think we'd be happy to get such patches. However, the project hasn't
been very active for a few years, so I can't promise someone will get
around to merging them soon.
Hopefully they will be trivial and short enough that we can use them
without having to get you to sign FSF paperwork. That's actually not a
huge deal, though.
One technical point: there are currently a lot of potential buffer
overflows in the code because of sprintf'ing into a buffer with
unchecked length (or the like). However, just converting them all to
snprintf (etc.) will still leave the program buggy -- silently
truncating long inputs is better than corrupting memory, but what we
really should do in many cases is either (a) accept arbitrarily long
inputs or (b) generate an error message if the input is too long.
On Mon, 5 Sep 2005 02:28:51 -0400, Chris Frey <address@hidden> wrote:
> Hi,
>
> I'm just checking whether it would be welcomed if I posted security
> patches to the list as I found them.
>
> For example, if I went through and changed all sprintf and strcpy/strcat
> calls to their safer equivalents, would that be accepted?
>
> If I posted them to the list with a public domain notice, could they
> go into CVS right away?
>
> Thanks for any feedback,
> - Chris
>
>
>
> _______________________________________________
> XBoard-devel mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/xboard-devel
>
--
Tim Mann address@hidden http://tim-mann.org/