From owner-freebsd-security  Mon May 13  0:19:29 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mail1.ing.nl (mail1.ing.nl [145.221.93.2])
	by hub.freebsd.org (Postfix) with ESMTP id 1BDC237B405
	for <security@freebsd.org>; Mon, 13 May 2002 00:19:22 -0700 (PDT)
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: DHCPD bug
Date: Mon, 13 May 2002 09:18:59 +0200
Message-ID: <6C506EA550443D44A061432F1E92EA4C012DBA@ing.com>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: DHCPD bug
thread-index: AcH5P+3smcEYRSboQF6D8Q/2x03G+ABDZtDw
From: "Carroll, D. (Danny)" <Danny.Carroll@mail.ing.nl>
To: <security@freebsd.org>
Importance: normal
X-OriginalArrivalTime: 13 May 2002 07:18:59.0742 (UTC) FILETIME=[73A12BE0:01C1FA4E]
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

As a little aside, whilst reading the CERT advisory I noticed that
NetBSD is not vulernable because: "NetBSD fixed this during a format
string sweep performed on 11-Oct-2000. No released version of NetBSD is
vulnerable to this issue."

Nice and prudent.  Is there any reason why this would be difficult to do
in the FreeBSD source / Ports source??

I don't know a hell of a lot about buffer over-runs but the patch passes
("%s", ptr) rather than simply (ptr)...  If the fix for most over-runs
is this simple then this task should be easy to do.  At least it might
be easy to identify potential issues.

-D
-----------------------------------------------------------------=0A=
ATTENTION:=0A=
The information in this electronic mail message is private and=0A=
confidential, and only intended for the addressee. Should you=0A=
receive this message by mistake, you are hereby notified that=0A=
any disclosure, reproduction, distribution or use of this=0A=
message is strictly prohibited. Please inform the sender by=0A=
reply transmission and delete the message without copying or=0A=
opening it.=0A=
=0A=
Messages and attachments are scanned for all viruses known.=0A=
If this message contains password-protected attachments, the=0A=
files have NOT been scanned for viruses by the ING mail domain.=0A=
Always scan attachments before opening them.=0A=
-----------------------------------------------------------------

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message