From owner-freebsd-security@FreeBSD.ORG  Sun Apr  6 20:13:52 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BAAE9106566B
	for <freebsd-security@freebsd.org>;
	Sun,  6 Apr 2008 20:13:52 +0000 (UTC)
	(envelope-from stheg_olloydson@yahoo.com)
Received: from web32704.mail.mud.yahoo.com (web32704.mail.mud.yahoo.com
	[68.142.207.248])
	by mx1.freebsd.org (Postfix) with SMTP id 5B8DE8FC1A
	for <freebsd-security@freebsd.org>;
	Sun,  6 Apr 2008 20:13:52 +0000 (UTC)
	(envelope-from stheg_olloydson@yahoo.com)
Received: (qmail 37962 invoked by uid 60001); 6 Apr 2008 19:47:11 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
	h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
	b=zlABvKvRxxnq4qYPRP5KUzdO8z25wUVNe4BFrYxG8vYDg0RYiPHA9XvC50g3EDNRMrPfCZJ6km9oPErhMkJ364yeRv75AfurSdNRjwh82MJIQC+rH68VTDchgL3DxHdEDNjw7FWu4bKHqM9CDFTZE+cNv3ugE1H8rnpUL+x+aMQ=;
X-YMail-OSG: 05IrAL4VM1kMi8wlacgA4T4aWnMddw1J_tG8sptiej4oVHePWVrEFI5b3jl.YrCW5Qp3eOtzEbePTaXuX2jQXda5s8Hd.Y952ysrrhsk78uY3cA0TOTbNJR8A8SH6A--
Received: from [70.152.231.33] by web32704.mail.mud.yahoo.com via HTTP;
	Sun, 06 Apr 2008 12:47:11 PDT
Date: Sun, 6 Apr 2008 12:47:11 -0700 (PDT)
From: stheg olloydson <stheg_olloydson@yahoo.com>
To: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-ID: <185727.37681.qm@web32704.mail.mud.yahoo.com>
Subject: CVE-2008-1391 - Multiple BSD Platforms "strfmon()" Function Integer
	Overflow
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Apr 2008 20:13:52 -0000

Hello,

According to the information at mitre.org, both 6.x and 7.0 are
vulnerable. I see in NetBSD's CVS log for
src/lib/libc/stdlib/strfmon.c, they have patched this on March
27.
Looking at FreeBSD's CVS log at
http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/stdlib/strfmon.c,
 shows that no changes have been made since Mon Sep 12, 2005.
Is our strfmon() not vulnerable as reported?

stheg 


      ____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
http://tc.deals.yahoo.com/tc/blockbuster/text5.com