[emboss-dev] [Fwd: Re: PHYLIP code]

[Guy Bottu]

	Dear Peter, dear Alan,

I had some Email exchange with Joe Felsenstein, the author of PHYLIP, and this 
yielded me the following certainly interestinginformations :

- the e... programs from the old version contain a dangerous bug that makes them 
  vulnerable to buffer overflow attacks
- the f... programs might have code that is not up-to-date, since there is now 
already a PHYLIP version 3.67

	Regards,
	Guy Bottu,
	BEN

-------- Original Message --------
Subject: Re: The MUSCLE mystery
Date: Tue, 9 Oct 2007 09:43:17 -0700
From: Joe Felsenstein <joe at gs.washington.edu>
To: Guy Bottu <gbottu at vub.ac.be>
References: <470BA9AC.60802 at vub.ac.be> 
<20071008195913.GD31764 at gs.washington.edu> <470C5D3F.7020908 at vub.ac.be>


Guy --

> They did upgrade. The old version with programs ednapars, etc. based on 
> PHYLIP 3.57c is still in the "old" directory of their ftp server, but 
> they now have a new version with programs fdnapars, etc. based on PHYLIP 
> 3.6b. This appeared with EMBOSS version 3.0.0 already some time ago and 
> I am afraid they still have code based on the beta version of PHYLIP
> 3.6 ; indeed the header of the files reads
> /* version 3.6 (c) Copyright 1993-2002 by the University of Washington.
> ...

Thanks, I am relieved.  The old code was using the "gets" function that
is deprecated because it was subject to a buffer overflow.

It is too bad they can't be more up-to-date.  I guess they have to do too
much surgery on my code to routinely update it.  But at least they aren't
putting out code that can be attacked with a buffer overflow.

J.F.
----
Joe Felsenstein         joe at gs.washington.edu
  Department of Genome Sciences and Department of Biology,
  University of Washington, Box 355065, Seattle, WA 98195-5065 USA