[emboss-dev] [Fwd: Re: PHYLIP code]

ajb at ebi.ac.uk ajb at ebi.ac.uk
Wed Oct 10 11:15:29 UTC 2007 

Thanks Guy,

The compilers have been warning about the gets() problem for years
now and it is such a trivial change to use fgets() from stdin
instead. I suspect that that particular area of code wasn't used
anyway owing to the ACD modifications made to the code. The last
time I looked (v1.83) clustalw was still using gets().

I expect 3.67 is on Peter's to-do list (historically he looks
after PHYLIP).

Alan



> 	Dear Peter, dear Alan,
>
> I had some Email exchange with Joe Felsenstein, the author of PHYLIP, and
> this
> yielded me the following certainly interestinginformations :
>
> - the e... programs from the old version contain a dangerous bug that
> makes them
>   vulnerable to buffer overflow attacks
> - the f... programs might have code that is not up-to-date, since there is
> now
> already a PHYLIP version 3.67
>
> 	Regards,
> 	Guy Bottu,
> 	BEN
>
> -------- Original Message --------
> Subject: Re: The MUSCLE mystery
> Date: Tue, 9 Oct 2007 09:43:17 -0700
> From: Joe Felsenstein <joe at gs.washington.edu>
> To: Guy Bottu <gbottu at vub.ac.be>
> References: <470BA9AC.60802 at vub.ac.be>
> <20071008195913.GD31764 at gs.washington.edu> <470C5D3F.7020908 at vub.ac.be>
>
>
> Guy --
>
>> They did upgrade. The old version with programs ednapars, etc. based on
>> PHYLIP 3.57c is still in the "old" directory of their ftp server, but
>> they now have a new version with programs fdnapars, etc. based on PHYLIP
>> 3.6b. This appeared with EMBOSS version 3.0.0 already some time ago and
>> I am afraid they still have code based on the beta version of PHYLIP
>> 3.6 ; indeed the header of the files reads
>> /* version 3.6 (c) Copyright 1993-2002 by the University of Washington.
>> ...
>
> Thanks, I am relieved.  The old code was using the "gets" function that
> is deprecated because it was subject to a buffer overflow.
>
> It is too bad they can't be more up-to-date.  I guess they have to do too
> much surgery on my code to routinely update it.  But at least they aren't
> putting out code that can be attacked with a buffer overflow.
>
> J.F.
> ----
> Joe Felsenstein         joe at gs.washington.edu
>   Department of Genome Sciences and Department of Biology,
>   University of Washington, Box 355065, Seattle, WA 98195-5065 USA
>
> _______________________________________________
> emboss-dev mailing list
> emboss-dev at lists.open-bio.org
> http://lists.open-bio.org/mailman/listinfo/emboss-dev
>

More information about the emboss-dev mailing list