From owner-freebsd-security@FreeBSD.ORG  Fri Mar 18 05:37:16 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id CCF7B16A4CE; Fri, 18 Mar 2005 05:37:16 +0000 (GMT)
Received: from pd4mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net
	[24.71.223.10])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 8FB8B43D55; Fri, 18 Mar 2005 05:37:16 +0000 (GMT)
	(envelope-from cperciva@freebsd.org)
Received: from pd2mr8so.prod.shaw.ca (pd2mr8so-qfe3.prod.shaw.ca
	[10.0.141.11])2004)) with ESMTP id <0IDJ00H008Y4H4AZ@l-daemon>; Thu,
	17 Mar 2005 22:37:16 -0700 (MST)
Received: from pn2ml1so.prod.shaw.ca ([10.0.121.145])
 by pd2mr8so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar
 15 2004)) with ESMTP id <0IDJ00EAS8Y4VLD0@pd2mr8so.prod.shaw.ca>; Thu,
 17 Mar 2005 22:37:16 -0700 (MST)
Received: from [192.168.0.60]
	(S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon
	(iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003))
	with ESMTP id <0IDJ00H2H8Y3YK@l-daemon>;
	Thu, 17 Mar 2005 22:37:16 -0700 (MST)
Date: Thu, 17 Mar 2005 21:37:15 -0800
From: Colin Percival <cperciva@freebsd.org>
In-reply-to: <20050318052656.GA40243@VARK.MIT.EDU>
To: David Schultz <das@FreeBSD.ORG>
Message-id: <423A690B.5010305@freebsd.org>
MIME-version: 1.0
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 7bit
X-Accept-Language: en-us, en
X-Enigmail-Version: 0.90.1.0
X-Enigmail-Supports: pgp-inline, pgp-mime
References: <423A1842.4050603@open-networks.net>
	<423A19B2.7000602@freebsd.org> <20050318052656.GA40243@VARK.MIT.EDU>
User-Agent: Mozilla Thunderbird 1.0 (X11/20050314)
cc: freebsd-security@FreeBSD.ORG
Subject: Re: no patch, is there a problem
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Mar 2005 05:37:16 -0000

David Schultz wrote:
> On Thu, Mar 17, 2005, Colin Percival wrote:
>>We're not affected.  The problem is in copyoutstr(),
>>which doesn't exist in FreeBSD.
> 
> It exists on FreeBSD/alpha because it was blindly copied from
> NetBSD.  However, we don't use it, and it appears to do proper
> validation anyway.

Heh.  The problem was in Net/OpenBSD's implementations of
copyoutstr() on i386 and amd64 only.

> I'm not sure whether the bugtraq submitter is intentionally
> spreading FUD or just lazy; the assertion that we do ``no
> validation'' in copyout is patently false.

I'm sure someone wrote "multiple BSDs" and someone else read
that as including FreeBSD.  The problem description was correct,
for the affected systems -- the i386 and amd64 versions of
copystrout() on OpenBSD and NetBSD did not do any validation
of the target address.

Colin Percival