Date: Sat, 13 Jan 2001 15:41:44 -0800 From: Kris Kennaway <kris@FreeBSD.ORG> To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> Cc: freebsd-security@FreeBSD.ORG Subject: Re: [!H] Tcpdump 3.5.2 remote root vulnerability (fwd) Message-ID: <20010113154144.A2379@citusc.usc.edu> In-Reply-To: <200101131323.f0DDNX518734@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Sat, Jan 13, 2001 at 05:23:22AM -0800 References: <20010112184529.B25168@citusc.usc.edu> <200101131323.f0DDNX518734@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Sat, Jan 13, 2001 at 05:23:22AM -0800, Cy Schubert - ITSD Open Systems Group wrote: > I do recall the advisory which mainly patches some calls from sprintf() > to snprintf(), however the advisory from BUGTRAQ that I had forwarded > to this list patches two calls to sscanf(). Are you saying that we > tackled the same problem differently or did we just fix a different > buffer overrun condition? I believe it attempts to fix one of the problems we fixed (but does it incorrectly, by truncating a string to 127 bytes which may legitimately be up to 2048 bytes long in the real world) > If this is a different problem, there are two other sscanf's in > print-atalk.c that were not discussed in the advisory that need fixing. These are not exploitable: they read from /etc/atalk.names which is root-owned, and even then the buffers are sized such that they can't be overflowed. Kris [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6YOe4Wry0BWjoQKURAmQvAKDFVlatc2lnhhB5N1MKJ0lotOGK0gCgkQap THxRSuUnDQJU3l/3EdNS3H8= =Pk3b -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010113154144.A2379>