From: Solar Designer <solar@false.com> Subject: libsafe To: security-audit@ferret.lmh.ox.ac.uk Date: Tue, 25 Apr 2000 04:08:27 +0400 (MSD) Hi, libsafe has recently been mentioned on Bugtraq and on this list. I'm surprised by the lack of any follow-ups on Bugtraq. Anyway, I think it's not a very good idea to start another discussion of measures like this on Bugtraq (there have been more than enough already), so I'm posting this here. This is not unrelated to security-audit, as it's not obvious whether libsafe itself is safe to use at this stage. As far as I remember, there was a preloadable library very similar to libsafe (but less complete) originally intended for use on FreeBSD, somewhere around 1996. (I wasn't able to find a copy now; if anyone still has it or knows of a link, please post here.) The main reason it wasn't used much is probably its incompatibility with programs compiled with gcc's "-fomit-frame-pointer". The first thing I did after downloading libsafe was grep its entire directory tree for a mention of this option. Nothing. Does this mean libsafe will work or is at least safe to use with such programs? From a look at its code, it doesn't seem to be. If there's no frame pointer stored where libsafe expects it to be, its detection of the upper limit on a buffer's size can produce an undefined result, which can, at least in theory, turn out to be smaller than the actual buffer size. Fortunately, libsafe doesn't silently truncate strings, -- it will abort the program, so the worst this can do is introduce a DoS possibility into an otherwise correct program. Still, this should be documented. If I'm wrong about all of this, the reasoning for that should be documented instead. The NOTIFY_WITH_EMAIL code looks broken to me. I vote for this getting dropped completely. It is dangerous to do things like this from the context of a program that has simply called a strcpy(3). I don't think all possible implementations /bin/mail were intended to run in a way similar to them being installed SUID. In fact, we don't even know if this will run the system's /bin/mail and not something in a chroot; this was just a string manipulation function that was never meant to access the filesystem. Don't get me wrong, libsafe has its place as a useful security tool; it's just that I'd like to see these concerns addressed. Signed, Solar Designer