From owner-freebsd-security@FreeBSD.ORG Sun Apr 6 21:15:06 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 93B031065670 for ; Sun, 6 Apr 2008 21:15:05 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.freebsd.org (Postfix) with ESMTP id BDD9C8FC20 for ; Sun, 6 Apr 2008 21:15:04 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id C31C61E8C43; Sun, 6 Apr 2008 20:54:52 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 03456114AE; Sun, 6 Apr 2008 22:55:06 +0200 (CEST) Date: Sun, 6 Apr 2008 22:55:06 +0200 From: "Simon L. Nielsen" To: stheg olloydson Message-ID: <20080406205506.GE1127@FreeBSD.org> References: <185727.37681.qm@web32704.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <185727.37681.qm@web32704.mail.mud.yahoo.com> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-security@freebsd.org Subject: Re: CVE-2008-1391 - Multiple BSD Platforms "strfmon()" Function Integer Overflow X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2008 21:15:06 -0000 On 2008.04.06 12:47:11 -0700, stheg olloydson wrote: > According to the information at mitre.org, both 6.x and 7.0 are > vulnerable. I see in NetBSD's CVS log for > src/lib/libc/stdlib/strfmon.c, they have patched this on March > 27. Note that the change in NetBSD is possibly incomplete to fix the issue. I'm not sure what the final conclusion was on that. > Looking at FreeBSD's CVS log at > http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/stdlib/strfmon.c, > shows that no changes have been made since Mon Sep 12, 2005. > Is our strfmon() not vulnerable as reported? The FreeBSD version is affected and will be fixed in -CURRENT / HEAD shortly. The FreeBSD Security Team has yet to be able to come up with any real cases where this is an actual security issue, so unless we find any place where this is actually a problem, the issue will be handled as a normal bug and merged to -STABLE branches acordingly. Note that allowing untrusted format strings to be used is normally a bad idea, so any application where the strfmon issue is a problem are likely already broken. -- Simon L. Nielsen FreeBSD Security Team