From gbottu at vub.ac.be  Wed Oct 10 06:24:50 2007
From: gbottu at vub.ac.be (Guy Bottu)
Date: Wed, 10 Oct 2007 12:24:50 +0200
Subject: [emboss-dev] [Fwd: Re: PHYLIP code]
Message-ID: <470CA872.3000202@vub.ac.be>

	Dear Peter, dear Alan,

I had some Email exchange with Joe Felsenstein, the author of PHYLIP, and this 
yielded me the following certainly interestinginformations :

- the e... programs from the old version contain a dangerous bug that makes them 
  vulnerable to buffer overflow attacks
- the f... programs might have code that is not up-to-date, since there is now 
already a PHYLIP version 3.67

	Regards,
	Guy Bottu,
	BEN

-------- Original Message --------
Subject: Re: The MUSCLE mystery
Date: Tue, 9 Oct 2007 09:43:17 -0700
From: Joe Felsenstein <joe at gs.washington.edu>
To: Guy Bottu <gbottu at vub.ac.be>
References: <470BA9AC.60802 at vub.ac.be> 
<20071008195913.GD31764 at gs.washington.edu> <470C5D3F.7020908 at vub.ac.be>


Guy --

> They did upgrade. The old version with programs ednapars, etc. based on 
> PHYLIP 3.57c is still in the "old" directory of their ftp server, but 
> they now have a new version with programs fdnapars, etc. based on PHYLIP 
> 3.6b. This appeared with EMBOSS version 3.0.0 already some time ago and 
> I am afraid they still have code based on the beta version of PHYLIP
> 3.6 ; indeed the header of the files reads
> /* version 3.6 (c) Copyright 1993-2002 by the University of Washington.
> ...

Thanks, I am relieved.  The old code was using the "gets" function that
is deprecated because it was subject to a buffer overflow.

It is too bad they can't be more up-to-date.  I guess they have to do too
much surgery on my code to routinely update it.  But at least they aren't
putting out code that can be attacked with a buffer overflow.

J.F.
----
Joe Felsenstein         joe at gs.washington.edu
  Department of Genome Sciences and Department of Biology,
  University of Washington, Box 355065, Seattle, WA 98195-5065 USA


From ajb at ebi.ac.uk  Wed Oct 10 07:15:29 2007
From: ajb at ebi.ac.uk (ajb at ebi.ac.uk)
Date: Wed, 10 Oct 2007 12:15:29 +0100 (BST)
Subject: [emboss-dev] [Fwd: Re: PHYLIP code]
In-Reply-To: <470CA872.3000202@vub.ac.be>
References: <470CA872.3000202@vub.ac.be>
Message-ID: <43049.81.98.241.17.1192014929.squirrel@webmail.ebi.ac.uk>

Thanks Guy,

The compilers have been warning about the gets() problem for years
now and it is such a trivial change to use fgets() from stdin
instead. I suspect that that particular area of code wasn't used
anyway owing to the ACD modifications made to the code. The last
time I looked (v1.83) clustalw was still using gets().

I expect 3.67 is on Peter's to-do list (historically he looks
after PHYLIP).

Alan



> 	Dear Peter, dear Alan,
>
> I had some Email exchange with Joe Felsenstein, the author of PHYLIP, and
> this
> yielded me the following certainly interestinginformations :
>
> - the e... programs from the old version contain a dangerous bug that
> makes them
>   vulnerable to buffer overflow attacks
> - the f... programs might have code that is not up-to-date, since there is
> now
> already a PHYLIP version 3.67
>
> 	Regards,
> 	Guy Bottu,
> 	BEN
>
> -------- Original Message --------
> Subject: Re: The MUSCLE mystery
> Date: Tue, 9 Oct 2007 09:43:17 -0700
> From: Joe Felsenstein <joe at gs.washington.edu>
> To: Guy Bottu <gbottu at vub.ac.be>
> References: <470BA9AC.60802 at vub.ac.be>
> <20071008195913.GD31764 at gs.washington.edu> <470C5D3F.7020908 at vub.ac.be>
>
>
> Guy --
>
>> They did upgrade. The old version with programs ednapars, etc. based on
>> PHYLIP 3.57c is still in the "old" directory of their ftp server, but
>> they now have a new version with programs fdnapars, etc. based on PHYLIP
>> 3.6b. This appeared with EMBOSS version 3.0.0 already some time ago and
>> I am afraid they still have code based on the beta version of PHYLIP
>> 3.6 ; indeed the header of the files reads
>> /* version 3.6 (c) Copyright 1993-2002 by the University of Washington.
>> ...
>
> Thanks, I am relieved.  The old code was using the "gets" function that
> is deprecated because it was subject to a buffer overflow.
>
> It is too bad they can't be more up-to-date.  I guess they have to do too
> much surgery on my code to routinely update it.  But at least they aren't
> putting out code that can be attacked with a buffer overflow.
>
> J.F.
> ----
> Joe Felsenstein         joe at gs.washington.edu
>   Department of Genome Sciences and Department of Biology,
>   University of Washington, Box 355065, Seattle, WA 98195-5065 USA
>
> _______________________________________________
> emboss-dev mailing list
> emboss-dev at lists.open-bio.org
> http://lists.open-bio.org/mailman/listinfo/emboss-dev
>



From gbottu at vub.ac.be  Wed Oct 10 10:24:50 2007
From: gbottu at vub.ac.be (Guy Bottu)
Date: Wed, 10 Oct 2007 12:24:50 +0200
Subject: [emboss-dev] [Fwd: Re: PHYLIP code]
Message-ID: <470CA872.3000202@vub.ac.be>

	Dear Peter, dear Alan,

I had some Email exchange with Joe Felsenstein, the author of PHYLIP, and this 
yielded me the following certainly interestinginformations :

- the e... programs from the old version contain a dangerous bug that makes them 
  vulnerable to buffer overflow attacks
- the f... programs might have code that is not up-to-date, since there is now 
already a PHYLIP version 3.67

	Regards,
	Guy Bottu,
	BEN

-------- Original Message --------
Subject: Re: The MUSCLE mystery
Date: Tue, 9 Oct 2007 09:43:17 -0700
From: Joe Felsenstein <joe at gs.washington.edu>
To: Guy Bottu <gbottu at vub.ac.be>
References: <470BA9AC.60802 at vub.ac.be> 
<20071008195913.GD31764 at gs.washington.edu> <470C5D3F.7020908 at vub.ac.be>


Guy --

> They did upgrade. The old version with programs ednapars, etc. based on 
> PHYLIP 3.57c is still in the "old" directory of their ftp server, but 
> they now have a new version with programs fdnapars, etc. based on PHYLIP 
> 3.6b. This appeared with EMBOSS version 3.0.0 already some time ago and 
> I am afraid they still have code based on the beta version of PHYLIP
> 3.6 ; indeed the header of the files reads
> /* version 3.6 (c) Copyright 1993-2002 by the University of Washington.
> ...

Thanks, I am relieved.  The old code was using the "gets" function that
is deprecated because it was subject to a buffer overflow.

It is too bad they can't be more up-to-date.  I guess they have to do too
much surgery on my code to routinely update it.  But at least they aren't
putting out code that can be attacked with a buffer overflow.

J.F.
----
Joe Felsenstein         joe at gs.washington.edu
  Department of Genome Sciences and Department of Biology,
  University of Washington, Box 355065, Seattle, WA 98195-5065 USA



From ajb at ebi.ac.uk  Wed Oct 10 11:15:29 2007
From: ajb at ebi.ac.uk (ajb at ebi.ac.uk)
Date: Wed, 10 Oct 2007 12:15:29 +0100 (BST)
Subject: [emboss-dev] [Fwd: Re: PHYLIP code]
In-Reply-To: <470CA872.3000202@vub.ac.be>
References: <470CA872.3000202@vub.ac.be>
Message-ID: <43049.81.98.241.17.1192014929.squirrel@webmail.ebi.ac.uk>

Thanks Guy,

The compilers have been warning about the gets() problem for years
now and it is such a trivial change to use fgets() from stdin
instead. I suspect that that particular area of code wasn't used
anyway owing to the ACD modifications made to the code. The last
time I looked (v1.83) clustalw was still using gets().

I expect 3.67 is on Peter's to-do list (historically he looks
after PHYLIP).

Alan



> 	Dear Peter, dear Alan,
>
> I had some Email exchange with Joe Felsenstein, the author of PHYLIP, and
> this
> yielded me the following certainly interestinginformations :
>
> - the e... programs from the old version contain a dangerous bug that
> makes them
>   vulnerable to buffer overflow attacks
> - the f... programs might have code that is not up-to-date, since there is
> now
> already a PHYLIP version 3.67
>
> 	Regards,
> 	Guy Bottu,
> 	BEN
>
> -------- Original Message --------
> Subject: Re: The MUSCLE mystery
> Date: Tue, 9 Oct 2007 09:43:17 -0700
> From: Joe Felsenstein <joe at gs.washington.edu>
> To: Guy Bottu <gbottu at vub.ac.be>
> References: <470BA9AC.60802 at vub.ac.be>
> <20071008195913.GD31764 at gs.washington.edu> <470C5D3F.7020908 at vub.ac.be>
>
>
> Guy --
>
>> They did upgrade. The old version with programs ednapars, etc. based on
>> PHYLIP 3.57c is still in the "old" directory of their ftp server, but
>> they now have a new version with programs fdnapars, etc. based on PHYLIP
>> 3.6b. This appeared with EMBOSS version 3.0.0 already some time ago and
>> I am afraid they still have code based on the beta version of PHYLIP
>> 3.6 ; indeed the header of the files reads
>> /* version 3.6 (c) Copyright 1993-2002 by the University of Washington.
>> ...
>
> Thanks, I am relieved.  The old code was using the "gets" function that
> is deprecated because it was subject to a buffer overflow.
>
> It is too bad they can't be more up-to-date.  I guess they have to do too
> much surgery on my code to routinely update it.  But at least they aren't
> putting out code that can be attacked with a buffer overflow.
>
> J.F.
> ----
> Joe Felsenstein         joe at gs.washington.edu
>   Department of Genome Sciences and Department of Biology,
>   University of Washington, Box 355065, Seattle, WA 98195-5065 USA
>
> _______________________________________________
> emboss-dev mailing list
> emboss-dev at lists.open-bio.org
> http://lists.open-bio.org/mailman/listinfo/emboss-dev
>