From owner-freebsd-security@FreeBSD.ORG Thu Jul 31 11:52:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 248EF37B405 for ; Thu, 31 Jul 2003 11:52:05 -0700 (PDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id AABF143F75 for ; Thu, 31 Jul 2003 11:52:02 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9/8.12.8) with ESMTP id h6VIpNRa070410; Thu, 31 Jul 2003 14:51:23 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030731144633.05832008@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Thu, 31 Jul 2003 14:52:56 -0400 To: From: Mike Tancsa In-Reply-To: References: <20030731183553.GA85469@mind.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) cc: freebsd-security@freebsd.org Subject: Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2003 18:52:05 -0000 At 02:40 PM 31/07/2003 -0400, polytarp@cyberspace.org wrote: >Buffer overflows which work on Linux do not work on FreeBSD. You need to qualify that statement. Yes, there are some that will not be relevant and the exact same exploit code will not work. But "Buffer overflows which work on Linux do not work on FreeBSD" is dangerously misleading.... In the case of wu-ftpd there have been several issues in the past that affected both FreeBSD and Linux. Same bug, different exploit code, both vulnerable. That being said, I havent had a chance to review this one so I dont know. ---Mike