Date: Wed, 01 Dec 1999 09:09:43 -0700 From: Warner Losh <imp@village.org> To: tstromberg@rtci.com Cc: freebsd-audit@freebsd.org Subject: Re: Where to start? Heres a few overflows. Message-ID: <199912011609.JAA02320@harmony.village.org> In-Reply-To: Your message of "Wed, 01 Dec 1999 08:50:49 EST." <384527B9.3A3E3C41@rtci.com> References: <384527B9.3A3E3C41@rtci.com> <38445A6A.50245AF5@rtci.com> <199911302322.QAA05983@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <384527B9.3A3E3C41@rtci.com> Thomas Stromberg writes: : > : *rdump overflow when giving it a partition to dump : > : ex: rdump -0 [A*1024] : > : > These are fixed in -current. I've not backported to stable, but should. : : Seeing as it's suid, It should probably be expidited. I myself took the : suid bit off of it on my -STABLE boxes (I usually do, since I make no : use of dump as non-root). Yes. However, this buffer overflow appears to be benign given the memory layout. I did an extensive analysis of this which I sent to Thomas a while ago which showed that it was a bug, but not a penetration bug. A good project would be to bring in the fork write(1) rather than putting that functionality inside dump changes OpenBSD made years ago. : Did you have any luck re-creating it with the script I sent you? : Interested to see if this becomes a systat or a curses thing.. No. I tried once, but it didn't fail and I've not gotten back to it. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912011609.JAA02320>