Mark Crispin wrote: > On Wed, 27 May 2009, Bjoern Voigt wrote: >> Anyway, I think, the bug should be fixed for the next release of UW >> Imap, Alpine etc. Who can do this? I can help with a patch and with some >> testing it this is helpful. > > I fail to see why this is important. The fix is obvious and trival, > but I don't see why it is worth wasting time. Ok, I did not say, that the bug is important. I said, that Linux with Glibc2 is important. And I said, that I wish that the bug will be fixed in the next release.
The bug could be seen as a low priority bug. I can agree with this. > You agree that this is not a security issue; by its nature getpass() > is only usable in shell programs and the interactive prompt makes it > unsuitable for scripts. > > It does not affect Alpine. It only affects mtest (which has other > issues and is only a sample program) and mailutil. > > mailutil has a 1024 byte buffer. How many people have passwords that > are that long? So the only crash will be if someone deliberately > makes it crash, and to accomplish what purpose? I think, if a user can crash an application with a special input, the program has a bug. We are in the good situation, that the bug is low priority, that the bug is not security related and that it is trivial to fix it. But I wonder a bit about this discussion. I believe that fixing the buffer overflow with a simple replacement of strcpy() with strncpy() in function mm_login, a bit testing and writing a commit message takes less time than this discussion. ;-) Fixing the Solaris 10 problem would take a bit more time for me, because I haven't already incorporated into the OS-dependency things in UW-Imapd. Tim wrote that UW probably no longer maintains UW Imapd and Alpine. So, is there a plan how new versions of Alpine and UW Imapd will be released? My question is: Are you planning to write a fix or do you plan to accept a fix for the buffer overflow bug? If I know this, we may want to decide, if it's reasonable to write bug reports for some Linux distributions (I have openSUSE and Ubuntu) and for Solaris. Greetings, Björn _______________________________________________ Imap-uw mailing list Imap-uw@u.washington.edu http://mailman2.u.washington.edu/mailman/listinfo/imap-uw
