The perils of security tools
Victor Duchovni
Victor.Duchovni at morganstanley.com
Tue May 13 17:10:00 EDT 2008
On Tue, May 13, 2008 at 02:10:45PM +0100, Ben Laurie wrote:
> [Moderator's note: A quick reminder: please use ASCII except if you
> need Unicode to spell your name right. Microsoft's proprietary quote
> marks are not a standard and don't look right on non-Microsoft
> displays. I edited them out of this by hand. --Perry]
>
> Debian have a stunning example of how blindly fixing "problems" pointed
> out by security tools can be disastrous.
Upstream authors can take defensive measures against ill-advised
patches of this sort. For a while, distributions were in the habit
of Patching the code that Postfix uses to learn the its own hostname.
Invariably, they botched it. The code now reads:
/* get_hostname - look up my host name */
const char *get_hostname(void)
{
char namebuf[MAXHOSTNAMELEN + 1];
/*
* The gethostname() call is not (or not yet) in ANSI or POSIX, but it is
* part of the socket interface library. We avoid the more politically-
* correct uname() routine because that has no portable way of dealing
* with long (FQDN) hostnames.
*
* DO NOT CALL GETHOSTBYNAME FROM THIS FUNCTION. IT BREAKS MAILDIR DELIVERY
* AND OTHER THINGS WHEN THE MACHINE NAME IS NOT FOUND IN /ETC/HOSTS OR
* CAUSES PROCESSES TO HANG WHEN THE NETWORK IS DISCONNECTED.
*
* POSTFIX NO LONGER NEEDS A FULLY QUALIFIED HOSTNAME. INSTEAD POSTFIX WILL
* USE A DEFAULT DOMAIN NAME "LOCALDOMAIN".
*/
if (my_host_name == 0) {
/* DO NOT CALL GETHOSTBYNAME FROM THIS FUNCTION */
if (gethostname(namebuf, sizeof(namebuf)) < 0)
msg_fatal("gethostname: %m");
namebuf[MAXHOSTNAMELEN] = 0;
/* DO NOT CALL GETHOSTBYNAME FROM THIS FUNCTION */
if (valid_hostname(namebuf, DO_GRIPE) == 0)
msg_fatal("unable to use my own hostname");
/* DO NOT CALL GETHOSTBYNAME FROM THIS FUNCTION */
my_host_name = mystrdup(namebuf);
}
return (my_host_name);
}
The addition of "/* DO NOT CALL GETHOSTBYNAME FROM THIS FUNCTION */"
every couple of lines appears to have solved the problem: it deliberately
breaks all prior patches (context diff overlaps), and strongly signals
that the code must not be messed with.
--
Viktor.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list