Date: Thu, 16 Jan 2014 21:41:02 +0100 From: Jeremie Le Hen <jlh@FreeBSD.org> To: freebsd-security@freebsd.org Cc: FreeBSD Security Advisories <security-advisories@freebsd.org> Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:01.bsnmpd Message-ID: <20140116204101.GA40990@caravan.chchile.org> In-Reply-To: <201401142011.s0EKB8Zw082592@freefall.freebsd.org> References: <201401142011.s0EKB8Zw082592@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Tue, Jan 14, 2014 at 08:11:08PM +0000, FreeBSD Security Advisories wrote: > > II. Problem Description > > The bsnmpd(8) daemon is prone to a stack-based buffer-overflow when it > has received a specifically crafted GETBULK PDU request. > > III. Impact > > This issue could be exploited to execute arbitrary code in the context of > the service daemon, or crash the service daemon, causing a denial-of-service. > > IV. Workaround > > No workaround is available, but systems not running bsnmpd(8) are not > vulnerable. We are supposed to have SSP in all binaries that should prevent exploitations from this kind of bugs. I am curious why it hasn't been mentioned: is it because it didn't work as expected (which would require some investigation), or is it just an omission? Regards, -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140116204101.GA40990>