diff -burN tcsh-6.20.00.orig/ma.setp.c tcsh-6.20.00/ma.setp.c
--- tcsh-6.20.00.orig/ma.setp.c	2007-11-20 23:03:51.000000000 +0300
+++ tcsh-6.20.00/ma.setp.c	2017-07-20 12:21:40.440176574 +0300
@@ -107,7 +107,7 @@
     char *suffix;
     char *defalt;
 } syspath[] = {
-    "PATH",	"/bin",		":/usr/ucb:/bin:/usr/bin",
+    "PATH",	"/bin",		":/bin:/usr/bin:/sbin:/usr/sbin",
     "CPATH",	"/include",	":/usr/include",
     "LPATH",	"/lib",		":/lib:/usr/lib",
     "MPATH",	"/man",		":/usr/man",
@@ -354,10 +354,15 @@
 	*new = '\0';
 	if (localsyspath != NULL) {
 	    *new = ':';
-	    (void) strcpy(new + 1, localsyspath);
-	    (void) strcat(new, pe->psuf);
+	/*
+	limit all elements to 1/2 of MAXPATHLEN aka PATH_MAX
+	this reduces the risk, but doesn't eliminate it: the
+	use of fixed-size buffer must be totally eliminated
+	*/
+	    (void) strncpy(new + 1, localsyspath, MAXPATHLEN>>1);
+	    (void) strncat(new, pe->psuf, MAXPATHLEN>>1);
 	}
-	(void) strcat(new, pe->pdef);
+	(void) strncat(new, pe->pdef, MAXPATHLEN>>1);
 	for (n = 0; n < pe->pdirs; n++) {
 	    if (pe->pdir[n] == NULL)
 		continue;
@@ -397,8 +402,8 @@
 	    new = localsyspath;
 	else {
 	    new = newbuf;
-	    (void) strcpy(new, localsyspath);
-	    (void) strcat(new, pe->psuf);
+	    (void) strncpy(new, localsyspath, MAXPATHLEN>>1);
+	    (void) strncat(new, pe->psuf, MAXPATHLEN>>1);
 	}
 	n = locate(pe, new);
 	if (n >= 0)
@@ -458,8 +463,8 @@
 
     if (sflag) {		/* add suffix */
 	new = newbuf;
-	(void) strcpy(new, key);
-	(void) strcat(new, pe->psuf);
+	(void) strncpy(new, key, MAXPATHLEN>>1);
+	(void) strncat(new, pe->psuf, MAXPATHLEN>>1);
     } else
 	new = key;
     new = strsave(new);
@@ -560,8 +565,8 @@
 
     if (sflag) {		/* append suffix */
 	new = newbuf;
-	(void) strcpy(new, key);
-	(void) strcat(new, pe->psuf);
+	(void) strncpy(new, key, MAXPATHLEN>>1);
+	(void) strncat(new, pe->psuf, MAXPATHLEN>>1);
     } else
 	new = key;
     new = strsave(new);
@@ -582,8 +587,8 @@
 
     if (sflag) {
 	realkey = keybuf;
-	(void) strcpy(realkey, key);
-	(void) strcat(realkey, pe->psuf);
+	(void) strncpy(realkey, key, MAXPATHLEN>>1);
+	(void) strncat(realkey, pe->psuf, MAXPATHLEN>>1);
     } else
 	realkey = key;
     for (i = 0; i < pe->pdirs; i++)