From owner-freebsd-bugs  Sat Aug  2 07:26:56 1997
Return-Path: <owner-freebsd-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id HAA25329
          for bugs-outgoing; Sat, 2 Aug 1997 07:26:56 -0700 (PDT)
Received: from relay.ucb.crimea.ua (ru@relay.ucb.crimea.ua [194.93.177.113])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA25313
          for <freebsd-bugs@FreeBSD.ORG>; Sat, 2 Aug 1997 07:26:45 -0700 (PDT)
Received: (from ru@localhost)
	by relay.ucb.crimea.ua (8.8.5/8.8.5) id RAA07998;
	Sat, 2 Aug 1997 17:25:53 +0300 (EET DST)
From: Ruslan Ermilov <ru@ucb.crimea.ua>
Message-Id: <199708021425.RAA07998@relay.ucb.crimea.ua>
Subject: Re: CERT Advisory CA-97.17 - Vulnerability in suidperl (sperl) question...
To: joerg_wunsch@uriah.heep.sax.de
Date: Sat, 2 Aug 1997 17:25:53 +0300 (EET DST)
Cc: ru@ucb.crimea.ua, jkh@time.cdrom.com, freebsd-bugs@FreeBSD.ORG,
        imp@village.org
In-Reply-To: <19970802152306.IZ53286@uriah.heep.sax.de> from "J Wunsch" at Aug 2, 97 03:23:06 pm
X-My-Interests: Unix,Oracle,Networking
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: owner-freebsd-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Hi, J"oerg & all!

You wrote:

> That's not fully right.  If you read Warner's name in the advisory, it
> shouldn't surprise you too much to see:
> 
> revision 1.3
> date: 1997/05/22 21:40:08;  author: imp;  state: Exp;  lines: +5 -2
> Fix buffer overload that might lead to root.
> 
> (In Perl4, that's in stab.c.)
> 
> The problem in toke.c was still unfixed.  Below's a patch (basically
> the patch from the CA, adapted for Perl4).  Warner, can you please
> review it?

For CERT Advisory CA-97.16 - ftpd Signal Handling Vulnerability
there is a response from FreeBSD Project:

| The FreeBSD Project
| ===================
| 
|     The FreeBSD Project has informed AUSCERT that the vulnerability
|     described in this advisory has been fixed in FreeBSD-current (from
|     January 27, 1997), and will be fixed in the upcoming FreeBSD 2.2
|     release.  All previous versions of FreeBSD are vulnerable.

For CERT Advisory CA-97.17 - Vulnerability in suidperl (sperl)
there is no such response from FreeBSD Project.

Because no response was made by FreeBSD Project to the CA-97.17, why
there is no at least GNATS entry for it?

How people (having no CVS) do know, that FreeBSD is not vulnerable?

TIA,
-- 
Ruslan A. Ermilov	System Administrator
ru@ucb.crimea.ua	United Commercial Bank
+380-652-247 647	Simferopol, Crimea