From owner-freebsd-security Wed Oct 11 15:16:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id DE60F37B503 for ; Wed, 11 Oct 2000 15:16:13 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id PAA21641; Wed, 11 Oct 2000 15:15:33 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda21639; Wed Oct 11 15:15:17 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.0/8.9.1) id e9BMFDh34029; Wed, 11 Oct 2000 15:15:13 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdd34027; Wed Oct 11 15:15:06 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.1/8.9.1) id e9BMF5F72845; Wed, 11 Oct 2000 15:15:05 -0700 (PDT) Message-Id: <200010112215.e9BMF5F72845@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdZ72836; Wed Oct 11 15:14:34 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1.1-RELEASE X-Sender: cy To: Trevor Johnson Cc: Mike Silbersack , freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) In-reply-to: Your message of "Tue, 10 Oct 2000 21:55:15 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 11 Oct 2000 15:14:33 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Trevor John son writes: > > Well, the advisory states that ncurses 5.0 and before are vulnerable. It > > looks like 5.1-prerelease is what 4.1+ are using. So, until we here more > > from warner/kris, I'm assuming that 4.0/3.x are vulnerable, but 4.1+ is > > safe. > > The fixes were applied in ncurses-20001007. We have ncurses-20000701. > > I'm attempting to prepare ncurses-20001009 for importing: > http://people.freebsd.org/~trevor/ncurses/ . I've mentioned it to Peter > Wemm. It needs more testing though (I haven't even done a "make world"). So far so good on 4.1.1, nothing appears to be broken, yet, and the exploit fails to work, a good thing. To "make world" the following patch needs to be applied to /usr/src/lib/libncurses/Makefile: --- Makefile.orig Thu Aug 17 00:30:34 2000 +++ Makefile Wed Oct 11 12:59:38 2000 @@ -164,6 +164,7 @@ lib_slktouch.c \ lib_termcap.c \ lib_termname.c \ + lib_tgoto.c \ lib_ti.c \ lib_touch.c \ lib_tparm.c \ @@ -192,6 +193,7 @@ resizeterm.c \ safe_sprintf.c \ setbuf.c \ + strings.c \ sigaction.c \ trace_buf.c \ trace_tries.c \ @@ -245,9 +247,6 @@ SYMLINKS+=libncurses_p.a ${LIBDIR}/libtinfo_p.a .endif -DOCSDIR= /usr/share/doc/ncurses -DOCS= ncurses-intro.html hackguide.html - beforeinstall: ${HEADERS} ${INSTALL} -c -o ${BINOWN} -g ${BINGRP} -m 444 ${HEADERS} \ ${DESTDIR}/usr/include @@ -380,7 +379,7 @@ curs_refresh.3x curs_scanw.3x curs_scr_dump.3x curs_scroll.3x \ curs_slk.3x curs_termattrs.3x curs_termcap.3x curs_terminfo.3x \ curs_touch.3x curs_util.3x curs_window.3x define_key.3x \ - dft_fgbg.3x keybound.3x keyok.3x ncurses.3x resizeterm.3x wresize.3x + keybound.3x keyok.3x ncurses.3x resizeterm.3x wresize.3x MAN5= term.5 terminfo.5 MAN7= term.7 Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message