From owner-freebsd-security@FreeBSD.ORG  Thu Mar 15 11:32:26 2007
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 6F88A16A401
	for <freebsd-security@freebsd.org>;
	Thu, 15 Mar 2007 11:32:26 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 47B0813C45D
	for <freebsd-security@freebsd.org>;
	Thu, 15 Mar 2007 11:32:26 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [209.31.154.41])
	by cyrus.watson.org (Postfix) with ESMTP id 416E647390;
	Thu, 15 Mar 2007 06:02:25 -0500 (EST)
Date: Thu, 15 Mar 2007 12:02:24 +0100 (BST)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
In-Reply-To: <20070314074510.GH99047@codelabs.ru>
Message-ID: <20070315120009.A60010@fledge.watson.org>
References: <20070314074510.GH99047@codelabs.ru>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-security@freebsd.org
Subject: Re: OpenBSD IPv6 remote kernel buffer overflow. FreeBSD has this
 too?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2007 11:32:26 -0000


On Wed, 14 Mar 2007, Eygene Ryabinkin wrote:

> Just spotted the new advisory from CORE:
> 	http://www.securityfocus.com/archive/1/462728/30/0/threaded Not an 
> expert, but FreeBSD's src/sys/kern/uipc_mbuf2.c has the very simular code.
>
> Robert, anyone, could you please check?

Eygene,

Sorry for the delayed response on this -- I've only just returned from Tokyo 
in the last day and am significantly behind in e-mail from the trip.

According to a source analysis by Jinmei, we are not vulnerable, but I will 
continue tracking the thread.  Apparently this vulnerability involved an issue 
in the handling of M_EXT, and our implementation of clusters differs 
significantly from OpenBSD, so it seems likely we are not affected.  If we 
discover any information to the contrary, you can be sure that we will get it 
fixed and release an advisory!

Robert N M Watson
Computer Laboratory
University of Cambridge