$Name: release2_0-12 $
$Id: ChangeLog,v 1.13 2002/03/18 21:38:07 ttsai Exp $

Version 2.0-12
* Mon Mar 18 2002 Timothy Tsai <ttsai@avaya.com>
- src/intercept.c:
	- In vfprintf() and _IO_vfprintf(), added the ' and I characters as
	  valid flags in the format string. [Bug reported by Wojciech
	  Purczynski.]
	- In vfprintf() and _IO_vfprintf(), changed the way in which "%n"
	  conversion specifiers are found in the format string.  Each "%n"
	  conversion is now matched to its corresponding argument, and only
	  that argument is verified not to point to a return address. [Bug
	  reported by Wojciech Purczynski.]

Version 2.0-11
* Mon Feb 18 2002 Yoann Vandoorselaere  <yoann@mandrakesoft.com>
* 2.0-11]
- src/util.c (prelude_alert): (fill_assessment): (set_user_infos): 
	- Add support for Prelude notification.  Generate a Prelude IDMEF alert
	  message.  (See http://www.prelude-ids.org)

* Mon Nov 12 2001 Timothy Tsai <ttsai@avaya.com>
- All files:
	- Added #ident RCS keywords in source code files.
- intercept.c:
	- Added detection for additional vulnerable functions:
	    wcscpy()
	    stpcpy()
	    wcpcpy()
	    wcscat()
	- Changed interception of *scanf() and *printf() functions so that a
	  true wrapper is used.  The vfscanf.c, vfprintf.c, reg-printf.c, and
	  printf-parse.h files are no longer needed.  All interception is
	  performed completely in intercept.c.
	- Added the _libsafe_exclude variable to allow disabling of libsafe
	  checks under one of two conditions:
	    - If util.c determines that frame pointers do not exist on the
	      stack.  This is an optimization to minimize the overhead for
	      programs that are compiled with -fomit-frame-pointer.
	    - If the current program name is listed in /etc/libsafe.exclude.
	      This allows libsafe to be linked system-wide (via ld.so.preload),
	      while disabling libsafe for a small set of incompatible programs.
- util.c:
	- Changed find_stack_start().  Instead of following the chain of frame
	  pointers back to the terminating 0x00000000, we determine the start
	  of the stack by assuming that the main thread stack starts at
	  0xbf800000 and extends for 0x00800000 bytes.  Other thread stacks
	  occupy approximately 0x0020000 bytes and are allocated at addresses
	  lower than the main thread stack.
	- If any function determines that there are no frame pointers on the
	  stack, then _libsafe_exclude is set to 1, which will effectively
	  bypass libsafe checking from that point onward.
	- Added _libsafe_save_ra_fp(), _libsafe_verify_ra_fp() to support
	  interception of *scanf() functions.  Added _libsafe_raVariableP() to
	  support detection of printf format bugs.

* Mon Jun 4 2001 Timothy Tsai <ttsai@avaya.com>
- util.c:
	- Fixed bug in sendmail() caused by ctime() and bare LF's.  [Reported
	  by Jos Luis Domingo Lpez.]

The following includes changes that comprise version 2.0:
* Wed Jan 20 2001 Timothy Tsai <ttsai@avaya.com>
- vfprintf.c:
	- Incorporated *printf() code from libc-2.1.3-91.src.rpm.  This code
	  fixes a bug for sprintf(), when the same buffer occurs as the
	  destination buffer and a source buffer (e.g., "sprintf(buf, "%s...",
	  buf, ...)).
	- Introduced code to check for printf format bugs.  The code detects
	    - overwriting of return addresses via printf("%n", ...)
	    - printf argument lists that span multiple stack frames
* Wed Jan 17 2001 Timothy Tsai <ttsai@avaya.com>
- vfscanf.c:
	- Replaced iovfscanf.c with vfscanf.c from libc-2.1.3-91.src.rpm.  This
	  updated version supports more field modifiers and conversions.
* Mon Nov 15 2000 Timothy Tsai <ttsai@avaya.com>
- util.c:_libsafe_stackVariableP():
	- Added code to see if the stack contains stack frames with frame
	  pointers.  If frame pointers are missing, then
	  _libsafe_stackVariableP() always returns 0, which means that checking
	  for buffer overflows is disabled.  This addition is needed to handle
	  code compiled with -fomit-frame-pointer.  [-fomit-frame-pointer
	  incompatability reported by Solar Designer, Michael Sweet, and
	  others.]
- util.c:_libsafe_die():
	- Change the mail notification mechanism.  Instead of relying on an
	  external mail program, email messages are now sent by directly
	  communicating with the SMTP port.  [Security vulnerabilities of email
	  raised by by Solar Designer and others.]
	- Added code to print the UID and effective UID of the user.  Note that
	  this is the user who started the process, who may not necessarily be
	  the attacker.  [Suggested by Duane Dunston.]
	- Added code to print the address of the code that called the unsafe
	  function that was detected by lisafe.
	- Added code to optionally generate a core dump upon exit.  [Suggested
	  by Aaron Hopkins.]
	- Added debugging code to turn off adding entries to syslog.  This is
	  useful during testing when a large number of test violations are
	  detected.  The code must be enabled with the -DDEBUG_TURN_OFF_SYSLOG
	  option in the Makefile.
	- Added dying flag to effectively disable _libsafe_stackVariableP()
	  after _libsafe_die() has been called.
- util.c:find_stack_start():
	- find_stack_start() replaces _libsafe_initialize_start_stack().
	  find_stack_start() works for multi-threaded processes and is less
	  kludgy.
- util.c:_libsafe_dump_stack():
	- Added this function to print out the contents of the stack when a
	  violation is detected.  This function is called from _libsafe_die()
	  and must be enabled with the -DDUMP_STACK option in the Makefile.
- intercept.c:gets():
	- Added extra code to make sure that the libsafe gets() treats newlines
	  the same way the libc gets() does.  [Suggested by Jutta Degener.]
- intercept.c:getwd():
	- Added code to make sure no more than PATH_MAX characters are
	  returned.  [Suggested by Jutta Degener.]
- intercept.c:
	- Made "static memcpy_t real_memcpy" a global variable since four
	  functions access it.  This increases the performance very slightly.
	  [Suggested by Paul Boehm.]
- iovfscanf.c:
	- Corrected bug in code that improperly processed format specifiers
	  with explicit field widths for char types.  [Bug reported by Bojan
	  Pogacar.]
- depend: removed from the package

* Fri April 21 2000 Arash Baratloo <arash@research.bell-labs.com>
- Corrected couple of bugs (in util.c) that kept libsafe from running on RH5.1
- Added dependencies to the Makefile
	
* Thu Mar 30 2000 Vandoorselaere Yoann <yoann@mandrakesoft.com>
* Thu Mar 30 2000 Arash Baratloo <arash@research.bell-labs.com>
- Update to 1.3
- Rename copying.lib to copying
- Use _exit because an sigsegv can be caught.

* Thu Mar 30 2000 Vandoorselaere Yoann <yoann@mandrakesoft.com>
- Removed a dangerous debugging function.
- Removed the mail_list file specified by variable feature ( could lead to
  attack ).
- Removed all c++ comment... reindent all code.
- Removed dead code.
- renamed int script to int.sh.
- Removed unused check from _libsafe_stackVariableP() ( stack_start is
  initialized in intercept.c ).

* Thu Mar 09 2000 Vandoorselaere Yoann <yoann@mandrakesoft.com>
	- int : use bash
	- Makefile : make clean work now :)
	- intercept.c : don't initialize static function pointer at .text init
	  time.
	- intercept.c : reindented + c++ to c comment :)
	- intercept.c : getLibraryFunction -> use const
	- added intercept.c , will be a c port of intercept.cpp
	- util.c: added warning, for a problem i'm not sure of
	- util.c: don't use non portable asm instruction to make the program
	  exit, use a clean portable way to do it...
	- util.c: never use system cause it can be a security problem.
	- util.c: Use the first variable stack address as the sp address.
	- util.c: Use unsigned long cause it is a word long on all architecture.
	- Imported libsafe source, created module, created changelog.
