Re: SECURITY PROBLEM: autofs [all versions]

To: Lars Wirzenius <liw@iki.fi>
Cc: debian-devel@lists.debian.org
Subject: Re: SECURITY PROBLEM: autofs [all versions]
From: "Christopher W. Curtis" <ccurtis@aet-usa.com>
Date: Wed, 05 Jul 2000 18:32:48 -0400
Message-id: <[🔎] 3963B790.17A2D343@aet-usa.com>
References: <[🔎] slime-6b693dd0c847b97a446767844cfb5667@liw.wapit.com>

Lars Wirzenius wrote:
> 
> [ I removed a number of people from the To and Cc lines. ]
> 
> "Christopher W. Curtis" <ccurtis@aet-usa.com>:
> > int main()
> > {     FILE *foo = popen( "non-executable.file", "r+ );
> >       fprintf( foo, "hmm" );
> > }
> 
> This crashes because popen returns NULL, and you use that value without
> checking for NULL. This is quite regardless of whether the program
> can be executed or not - popen has a large number of reasons why it can
> return NULL and anyone not checking the return value deserves to be
> eaten alive by bulimic carrier pigeons.

And the same should apply to init scripts that try to run a program
without first checking to see if it is executable.  As I said, "the lack
of a core dump does not mean it's correct".

Christopher

Reply to:

Follow-Ups:
- Re: SECURITY PROBLEM: autofs [all versions]
  - From: Joey Hess <joeyh@debian.org>

References:
- Re: SECURITY PROBLEM: autofs [all versions]
  - From: Lars Wirzenius <liw@iki.fi>

Prev by Date: Re: SECURITY PROBLEM: autofs [all versions]
Next by Date: Re: SECURITY PROBLEM: autofs [all versions]
Previous by thread: Re: SECURITY PROBLEM: autofs [all versions]
Next by thread: Re: SECURITY PROBLEM: autofs [all versions]
Index(es):
- Date
- Thread