From owner-freebsd-security@FreeBSD.ORG Thu Jul 31 14:31:42 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A72B537B401 for ; Thu, 31 Jul 2003 14:31:42 -0700 (PDT) Received: from grex.cyberspace.org (grex.cyberspace.org [216.93.104.34]) by mx1.FreeBSD.org (Postfix) with SMTP id B7E6543FBD for ; Thu, 31 Jul 2003 14:31:41 -0700 (PDT) (envelope-from polytarp@grex.cyberspace.org) Received: from localhost (polytarp@localhost) by grex.cyberspace.org (8.6.13/8.6.12) with SMTP id RAA26377; Thu, 31 Jul 2003 17:31:47 -0400 Date: Thu, 31 Jul 2003 17:31:46 -0400 (EDT) From: To: In-Reply-To: <5.2.0.9.0.20030731144633.05832008@209.112.4.2> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2003 21:31:43 -0000 On Thu, 31 Jul 2003 mike@sentex.net wrote: > At 02:40 PM 31/07/2003 -0400, polytarp@cyberspace.org wrote: > > > >Buffer overflows which work on Linux do not work on FreeBSD. > > > You need to qualify that statement. Yes, there are some that will not be > relevant and the exact same exploit code will not work. But "Buffer > overflows which work on Linux do not work on FreeBSD" is dangerously > misleading.... In the case of wu-ftpd there have been several issues in the > past that affected both FreeBSD and Linux. Same bug, different exploit > code, both vulnerable. That being said, I havent had a chance to review > this one so I dont know. > No, you're wrong. Even a different COMPILER -- let alone a different OPERATING SYSTEM -- can make buffer overflows not work.