From owner-freebsd-security Thu Jul 19 10:53: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id E804A37B401 for ; Thu, 19 Jul 2001 10:52:58 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6JHqer75736; Thu, 19 Jul 2001 10:52:40 -0700 (PDT) (envelope-from dillon) Date: Thu, 19 Jul 2001 10:52:40 -0700 (PDT) From: Matt Dillon Message-Id: <200107191752.f6JHqer75736@earth.backplane.com> To: Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= Cc: security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> <3B5718A0.2B650C9C@oksala.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :go to /usr/src/crypto/telnet/telnetd :and type :shell~# patch -p < /where/is/the/file.patch It isn't really safe code. If the data being formatted is large r then the format argument you can overflow the buffer, and the 'ret' from vsnprintf() is the amount of data that would have been output if the buffer had been large enough, not the amount of data that was actually output. Also, size_t is unsigned, which means if you overflow the buffer by one byte you are screwed. There appear to be a number of places (mainly the DIAG code, but also the ENCRYPT code) where this is true. This patch will fix the existing options-based hole, but doesn't close it. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message