The perils of security tools

Victor Duchovni Victor.Duchovni at morganstanley.com
Tue May 13 17:10:00 EDT 2008 

On Tue, May 13, 2008 at 02:10:45PM +0100, Ben Laurie wrote:

> [Moderator's note: A quick reminder: please use ASCII except if you
> need Unicode to spell your name right. Microsoft's proprietary quote
> marks are not a standard and don't look right on non-Microsoft
> displays. I edited them out of this by hand. --Perry]
> 
> Debian have a stunning example of how blindly fixing "problems" pointed 
> out by security tools can be disastrous.

Upstream authors can take defensive measures against ill-advised
patches of this sort. For a while, distributions were in the habit
of Patching the code that Postfix uses to learn the its own hostname.
Invariably, they botched it. The code now reads:

  /* get_hostname - look up my host name */

  const char *get_hostname(void)
  {
    char    namebuf[MAXHOSTNAMELEN + 1];

    /*
     * The gethostname() call is not (or not yet) in ANSI or POSIX, but it is
     * part of the socket interface library. We avoid the more politically-
     * correct uname() routine because that has no portable way of dealing
     * with long (FQDN) hostnames.
     *
     * DO NOT CALL GETHOSTBYNAME FROM THIS FUNCTION. IT BREAKS MAILDIR DELIVERY
     * AND OTHER THINGS WHEN THE MACHINE NAME IS NOT FOUND IN /ETC/HOSTS OR
     * CAUSES PROCESSES TO HANG WHEN THE NETWORK IS DISCONNECTED.
     *
     * POSTFIX NO LONGER NEEDS A FULLY QUALIFIED HOSTNAME. INSTEAD POSTFIX WILL
     * USE A DEFAULT DOMAIN NAME "LOCALDOMAIN".
     */
    if (my_host_name == 0) {
      /* DO NOT CALL GETHOSTBYNAME FROM THIS FUNCTION */
      if (gethostname(namebuf, sizeof(namebuf)) < 0)
	msg_fatal("gethostname: %m");
      namebuf[MAXHOSTNAMELEN] = 0;
      /* DO NOT CALL GETHOSTBYNAME FROM THIS FUNCTION */
      if (valid_hostname(namebuf, DO_GRIPE) == 0)
	msg_fatal("unable to use my own hostname");
      /* DO NOT CALL GETHOSTBYNAME FROM THIS FUNCTION */
      my_host_name = mystrdup(namebuf);
    }
    return (my_host_name);
  }

The addition of "/* DO NOT CALL GETHOSTBYNAME FROM THIS FUNCTION */"
every couple of lines appears to have solved the problem: it deliberately
breaks all prior patches (context diff overlaps), and strongly signals
that the code must not be messed with.

-- 
	Viktor.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list