From owner-freebsd-security Thu Aug 26 21:20:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 6321215487 for ; Thu, 26 Aug 1999 21:20:55 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Thu, 26 Aug 1999 22:20:54 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma003126; Thu, 26 Aug 99 22:20:50 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id WAA08064; Thu, 26 Aug 1999 22:19:54 -0600 (MDT) Date: Thu, 26 Aug 1999 22:19:54 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Brian Tao Cc: freebsd-security@FreeBSD.ORG Subject: Re: Buffer overflow in vixie cron? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 26 Aug 1999, Brian Tao wrote: > RedHat published a security advisory for the version of vixie-cron > included in RH 4.2, 5.2 and 6.0 today. Is our version also vulnerable? I don't believe so. I looked through 3.2-STABLE and didn't see any overflows. I haven't looked at the exact Linux diff, but from the description of the problem it sounds like they fixed the line where the sendmail pipe command string buffer is built. Our code already uses snprintf when using the MAILTO value, but the original Vixie cron used sprintf without length checks in both version 3.0 and 3.0.1. I'm assuming that's where the hole was. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message