From owner-freebsd-security Mon May 15 13:41: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id DCBEB37B6A0; Mon, 15 May 2000 13:41:03 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id QAA80539; Mon, 15 May 2000 16:41:02 -0400 (EDT) From: Igor Roshchin Message-Id: <200005152041.QAA80539@giganda.komkon.org> Subject: Re: qpopper discussion on BUGTRAQ In-Reply-To: from "Kris Kennaway" at "May 15, 2000 01:17:39 pm" To: "Kris Kennaway" Date: Mon, 15 May 2000 16:41:01 -0400 (EDT) Cc: Visigoth , freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Mon, 15 May 2000, Visigoth wrote: > > > I was just curious as to what the freebsd stance on the possible > > qpopper-2.53 vuln as is being discussed on BUGTRAQ. Has this vuln been > > tested with the freebsd port? Are there known issues? I am going to > > (hopefully) be taking a look at the "exploitability" of the freebsd port > > for qpopper-2.53 but I was wondering if someone had already done all the > > work. I under stand that the exploit posted on bugtraq would need to be > > modified, but I am wondering if the security/ports team have taken care of > > the offending piece of code already (which is so often the case)... > > I'm not sure which of the reported vulnerabilities you're referring to, > but in either case I know of the answer is "Blah blah blah, NOT > vulnerable..." > > * BSD systems dont have the tempfile creation problems which can deny > service to a user's mailbox (only SYSV directory semantics) > * FreeBSD fixed the "fgets() wraparound" bug prior to the release of the > bugtraq advisory. > > It's been on my plate to release an advisory about this since it was > fixed, but I've been sidetracked with other issues. My apologies - I'll ty > and get my backlog cleared this week. > > Kris > > ---- Although I am not sure which vulnerability the author of the original question is talking about, I see that there was a recent patch (April 17) related to (if I read it correctly) some buffer overflow, or smth. like that... (and IIRC there was something like that mentioned on BUGTRAQ some time ago) May be the author of the patch can clear up the question ? (sorry I don't have time/possibility to check the cvs logs now to find out how it was) Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message