From owner-freebsd-security Sun May 9 5:45:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 3B8DF15156 for ; Sun, 9 May 1999 05:45:14 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id FAA12010; Sun, 9 May 1999 05:45:00 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id FAA15987; Sun, 9 May 1999 05:44:58 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id FAA20637; Sun, 9 May 1999 05:44:57 -0700 (PDT) From: Don Lewis Message-Id: <199905091244.FAA20637@salsa.gv.tsc.tdk.com> Date: Sun, 9 May 1999 05:44:57 -0700 In-Reply-To: sthaug@nethelp.no "Re: KKIS.05051999.003b" (May 9, 1:17pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: sthaug@nethelp.no, Don.Lewis@tsc.tdk.com Subject: Re: KKIS.05051999.003b Cc: wes@softweyr.com, toasty@HOME.DRAGONDATA.COM, security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On May 9, 1:17pm, sthaug@nethelp.no wrote: } Subject: Re: KKIS.05051999.003b } > I don't see any obvious descriptor leaks, but the fact that FreeBSD < 3.1 } > panics (probably in unp_gc(), which Matt fixed) indicates that I'm missing } > something. } } A 2.2.8 system I have here panics in sorflush (called from unp_gc()): This is the bug that Matt Dillon fixed just before 3.1-RELEASE, sorflush() is only supposed to be used on descriptors associated with sockets. This exploit code causes sorflush() to be called on a descriptor for an open file. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message