From: Daniel J S. <dan...@ie...> - 2006-12-30 18:58:44
|
Jonathan Thornburg wrote: > Even if you completely shut off gnuplot's ability to fork shells > and run other commands, gnuplot is very likely not secure against > malicious inputs. That is, it is very likely that there exist malicious > gnuplot command sequences that could trigger a buffer overflow, allowing > the attacker to execute arbitrary code of her choosing in place of gnuplot. I'm not following what you are saying. Are you saying that gnuplot can plot some big files and hence overwhelm a system? (Say, just the way my web browser with plug-ins will allow unlimited bloated, animated adverts and will slow the system to a crawl.) Or are you saying gnuplot will lose track of some buffer that will overflow and a hacker could stuff a nasty program in there without the system knowing? We have been better at not allowing and ridding gnuplot of memory leaks. Dan |