From owner-freebsd-security  Mon Aug  5 09:33:03 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id JAA29027
          for security-outgoing; Mon, 5 Aug 1996 09:33:03 -0700 (PDT)
Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.eu.org [193.56.58.253])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA29011
          for <security@freebsd.org>; Mon, 5 Aug 1996 09:33:00 -0700 (PDT)
Received: from brasil.brainstorm.eu.org (brasil.brainstorm.eu.org [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id SAA28152; Mon, 5 Aug 1996 18:32:51 +0200
Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id SAA08484; Mon, 5 Aug 1996 18:32:24 +0200
Received: (from roberto@localhost) by keltia.freenix.fr (8.8.Alpha.7/keltia-uucp-2.9) id GAA08545; Mon, 5 Aug 1996 06:58:08 +0200 (MET DST)
Message-Id: <199608050458.GAA08545@keltia.freenix.fr>
Date: Mon, 5 Aug 1996 06:58:08 +0200
From: roberto@keltia.freenix.fr (Ollivier Robert)
To: sbqadm@sbq.org.br (Sociedade Brasileira de Quimica/Admin)
Cc: security@freebsd.org
Subject: Re: rlogin vulnerability?
In-Reply-To: <199608050020.AAA04628@www.sbq.org.br>; from Sociedade Brasileira de Quimica/Admin on Aug 5, 1996 0:20:29 +0000
References: 	<199608050020.AAA04628@www.sbq.org.br>
X-Mailer: Mutt 0.38
Mime-Version: 1.0
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

According to Sociedade Brasileira de Quimica/Admin:
> ping.c - pr_addr(l)

Interestingly enough,  the diff is  about  pin, not  rlogin. Anyway, it was
fixed a while ago in 2.2-CURRENT:

----------------------------
revision 1.6
date: 1996/07/28 20:29:10;  author: peter;  state: Exp;  lines: +3 -2
Limit the risk of `buf' overrun in ping.c when printing hostnames.

Note, this is not really a security risk, because the buffer in question
is a static variable in the data segment and not on the stack, and hence
cannot subert the flow of execution in any way.  About the worst case was
that if you pinged a long hostname, ping could coredump.

Pointed out on: bugtraq  (listserv@netspace.org)
----------------------------

-- 
Ollivier ROBERT    -=- The daemon is FREE! -=-    roberto@keltia.freenix.fr
FreeBSD keltia.freenix.fr 2.2-CURRENT #17: Fri Aug  2 20:40:17 MET DST 1996