Xref: utzoo comp.lang.c:26634 comp.software-eng:3085
Path: utzoo!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!samsung!brutus.cs.uiuc.edu!jarthur!elroy.jpl.nasa.gov!ucla-cs!rutgers!cbmvax!snark!eric
From: eric@snark.uu.net (Eric S. Raymond)
Newsgroups: comp.lang.c,comp.software-eng
Subject: Re: C Community's Cavalier Attitude On Software Reliability
Message-ID: <1Vgvdv#4qXFmx=eric@snark.uu.net>
Date: 6 Mar 90 14:45:10 GMT
References: <802@xyzzy.UUCP> <8230@hubcap.clemson.edu> <16085@haddock.ima.isc.com>
Lines: 16

In <16085@haddock.ima.isc.com> Karl Heuer wrote:
> In article <8230@hubcap.clemson.edu> billwolf%hazel.cs.clemson.edu@hubcap.clemson.edu writes:
> >    1) Unix.  (Example: the problem in which the double-length password
> >                        was used by an intruder to bypass security, taking
> >                        advantage of C's lack of boundary checking)
> 
> Every instance that I can think of where a password is required, getpass() is
> used.  This routine does its own bounds-checking.  I don't suppose you have
> any more data about this incident?

This sounds like a somewhat garbled description of a known hole in SunOS. As
Sun still hasn't fixed it, I shall say no more about it here. E-mail inquiries
from root or anyone whose name I can instantly recognize as a Good Guy will be
answered in more detail.
-- 
      Eric S. Raymond = eric@snark.uu.net    (mad mastermind of TMN-Netnews)