From owner-freebsd-security  Mon Mar 24 11:19:16 2003
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9884937B404; Mon, 24 Mar 2003 11:19:09 -0800 (PST)
Received: from bran.mc.mpls.visi.com (bran.mc.mpls.visi.com [208.42.156.103])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id D9CF943FAF; Mon, 24 Mar 2003 11:19:08 -0800 (PST)
	(envelope-from hawkeyd@visi.com)
Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193])
	by bran.mc.mpls.visi.com (Postfix) with ESMTP
	id 2100A49F3; Mon, 24 Mar 2003 13:19:08 -0600 (CST)
Received: (from hawkeyd@localhost)
	by sheol.localdomain (8.11.6/8.11.6) id h2OJJ7t09812;
	Mon, 24 Mar 2003 13:19:07 -0600 (CST)
	(envelope-from hawkeyd)
Date: Mon, 24 Mar 2003 13:19:07 -0600
From: D J Hawkey Jr <hawkeyd@visi.com>
To: "Jacques A. Vidrine" <nectar@FreeBSD.ORG>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: another TCPDump update question (going slightly off-topic)
Message-ID: <20030324131907.A9716@sheol.localdomain>
Reply-To: hawkeyd@visi.com
References: <20030311231326.82217.qmail@web10107.mail.yahoo.com> <20030324151410.GE94153@madman.celabo.org> <20030324093021.A8296@sheol.localdomain> <20030324160020.GA1911@madman.celabo.org> <20030324110222.A8625@sheol.localdomain> <20030324184428.GH1911@madman.celabo.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20030324184428.GH1911@madman.celabo.org>; from nectar@FreeBSD.ORG on Mon, Mar 24, 2003 at 12:44:28PM -0600
X-Spam-Status: No, hits=-32.1 required=5.0
	tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,
	      QUOTE_TWICE_1,RCVD_IN_UNCONFIRMED_DSBL,REFERENCES,
	      REPLY_WITH_QUOTES,USER_AGENT_MUTT
	autolearn=ham	version=2.50
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mar 24, at 12:44 PM, Jacques A. Vidrine wrote:
> 
> On Mon, Mar 24, 2003 at 11:02:22AM -0600, D J Hawkey Jr wrote:
> > 
> > www.tcpdump.org shows a new libpcap "to go with" the updated tcpdump.
> > They don't say a vulnerability was in libpcap, but if so, a quick scan
> > of userland shows that pppd is linked to libpcap. By inference, I would
> > think kernel-mode PPP falls in line with this, too. Now, there's a
> > rather big "if" here, but if true, would this then qualify as worthy
> > of a SA? As an aside, isn't BPF also tied to libpcap?
> 
> The `if' is indeed big.  The assumptions in the above paragraph
> don't hold:
>   (1) The vulnerability was in a tcpdump printer, not libpcap.
>   (2) While pppd does indeed use libpcap to implement packet filtering,
>       kernel-mode PPP most certainly does not.
>   (3) libpcap's live-capture mode is implemented on top of bpf, not the
>       other way 'round.

I stand corrected. Thanks.

> But as for this issue ... I honestly do not think it is important to
> any FreeBSD user.  The only possible exception might be someone
> deploying tcpdump or tcpdump code fragments as part of an intrusion
> detection system (seems unlikely).
> 
> Remember guys, we're talking about a command-line utility going into
> an infinite loop.  No crashes.  No code execution.  No nothing, it
> just sits there printing to stdout.

OK, I picked a bad example to illustrate my "bigger concern", as this
issue isn't a security issue. My bad.

> > If my feeling is wrong...
> 
> Your feeling may be wrong in only one way: you seem to be assuming
> that the tcpdump issue did not get treatment...
> 
> i.e. the issue got handled with as much thoroughness as any issue that
> affects the base system does...

Oh, no, no... I didn't mean to imply that you blithly (sp?) dismissed the
vulnerability out-of-hand. I know you're better than that.

Thanks again. I'll go away now.
Dave

-- 
  ______________________                         ______________________
  \__________________   \    D. J. HAWKEY JR.   /   __________________/
     \________________/\     hawkeyd@visi.com    /\________________/
                      http://www.visi.com/~hawkeyd/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message