[gopher] Antwort: Re: finally i find other gopherfans... (gn maintainer)

["Stefan Koerner" <stefan.koerner@xxxxxx>]

hi john !

> > i have an entire mirror of the 1997 site archived on tape,
> > and the tarball for the last official release up on my homepage
> > at http://www.rocklinux.org/people/ripclaw/software/gopher -
> > sorry for not having a gopher, it wasn`t secure enough.
>
> I'm glad to hear about someone maintaining gn!  I had thought it had
> died out into oblivion.

john frank nearly forgot about his (bastard) childe as he called it
between the lines.

> > seeing other people release something the like is an enourmous
> > boost to my morale, and will finally get me onto my ass and fixing
> > some of the source soon.
>
> Excellent :-)
>
> If you need any resources (esp. CVS repository or some such), let me
> know.

thanks the offer, i`m port maintainer at rocklinux.org, i can get the
resources. i just do not like remote CVS, so i keep stuff up there in
tarballs and scp it up there.

> > since you guys probably went through the same thing,
> > where is sufficient info on security related changes
> > (str*n* functions in C) avialable ?
>
> Hmm.  You might start here:
>
> http://rr.sans.org/threats/buffer_overflow.php

thanks.

> Basically, these functions are often unsafe:
>
>   strcpy
>   strcat
>   sprintf
>   gets
>
> It's because you can copy a string larger than the destination into
> it.  In place, you'd want to use the "n" functions -- strncpy, etc.

i know that they work by having you name the number of byte to copy,
but the glibc documentation for it was too sketchy and the differences
between e.g. the various *nprintf variants and the internally used form=
ats
did not clearly arise into my mind after reading the documentation
and the usual glibc cruft.
especially i did not see where the usage/performance advantages where a=
t.

i did a bit research and ran ITS4 against it, the warnings are avialabl=
e at
http://www.rocklinux.org/~ripclaw/gn-its4.tar

since this is the first time i do a source audit, help would be appreci=
ated.
the source tarball is located at
http://www.rocklinux.org/people/ripclaw/projects/software/gopher/

if someone could e.g. pick a nice case and make a sample on that.
i tried some, they compiled and it worked, but i did not feel too sure,=

since i had no time to mess with c for almost half a year now.

> > my dreams currently focus on a gopher-only multithreading server
> > with ssl/tsl support and a ssh-for-telnet trade.
>
> Nice.
>
> You might want to look over CVS diffs from UMN gopherd to get an idea=

> of the stuff that has been changed.

did anything fundamental (e.g. protocol extensions) change ?
anything that could possibly break compatibility is of interest.
(tried to get xgopher 1.3 work yesterday, still having minor (spare tim=
e)
problem with it not accepting gopher.quux.* as a startup host.)

> > i ran into some compile problems with gopher-3.0.2 on my box,
> > i`ll find time and figure out.
>
> You might want to send the build log to me and I'll see what I can
> find.

i`m sure it is about library locations and ./configure options I need.
if i run into anything unusual, i`ll tell you, else i`ll try packaging
if for rocklinux soon.



kind regards,


stefan


--

Diese E-Mail enth=E4lt vertrauliche und/oder rechtlich gesch=FCtzte Inf=
ormationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail=
 irrt=FCmlich erhalten haben, informieren Sie bitte sofort den Absender=
 und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbef=
ugte Weitergabe dieser Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If =
you are not the intended recipient (or have received this e-mail in err=
or) please notify the sender immediately and destroy this e-mail. Any u=
nauthorized copying, disclosure or distribution of the material in this=
 e-mail is strictly forbidden.
=