[nas] nas: Multiple Vulnerabilities in nas 1.9.3

Erik Auerswald auerswal at unix-ag.uni-kl.de
Thu Aug 15 07:04:32 MDT 2013


Hi,

On Thu, Aug 15, 2013 at 01:07:20PM +0200, Erik Auerswald wrote:
> On Thu, Aug 15, 2013 at 09:27:53AM +0430, Hamid Zamani wrote:
> > On 08/15/2013 03:07 AM, Erik Auerswald wrote:
> > [...]
> > just a issue is in my mind and it is about 'AuServerHostName'. It's
> > correct that almost all of string calls fixed right now but i think for
> > later use it would be better to think about checking this or use a
> > limitation about it. What do you think ?
> 
> [...]
> It was easier to just mechanically add range checks, than to understand
> and check for what constitutes a correct value for AUDIOHOST. ;-)

The code in question is used on Amoeba (http://www.cs.vu.nl/pub/amoeba/)
only. As far as I understand the code it will not work without the
AUDIOHOST environment variable, because AuServerHostName is not set
anywhere else. The AuServerHostName variable is used on Amoeba only.

Unless somebody comes up with a patch or a good description of how to check
this variable, I suggest leaving this code as is.

We might want to drop support for the Amoeba OS. We could use a census of
currently "supported" operating systems to decide which of them can be
supported in reality.

Cheers,
Erik
-- 
Unix is simple and coherent, but it takes a genius - or at any rate a
programmer - to understand and appreciate the simplicity.
                        -- Dennis Ritchie


More information about the nas mailing list