From owner-freebsd-security@FreeBSD.ORG Sun Mar 2 01:25:11 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B09141065670 for ; Sun, 2 Mar 2008 01:25:11 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [78.128.192.10]) by mx1.freebsd.org (Postfix) with ESMTP id 3C9FC8FC14 for ; Sun, 2 Mar 2008 01:25:11 +0000 (UTC) (envelope-from dan@obluda.cz) X-Envelope-From: dan@obluda.cz Received: from kgw.obluda.cz (openvpn.ms.mff.cuni.cz [195.113.20.87]) by smtp1.kolej.mff.cuni.cz (8.14.2/8.14.2) with ESMTP id m220mHLS007556; Sun, 2 Mar 2008 01:48:18 +0100 (CET) (envelope-from dan@obluda.cz) Message-ID: <47C9F951.3090408@obluda.cz> Date: Sun, 02 Mar 2008 01:48:17 +0100 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.11) Gecko/20080210 SeaMonkey/1.1.7 MIME-Version: 1.0 To: Eygene Ryabinkin References: <20080229163903.3680.qmail@securityfocus.com> In-Reply-To: Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, sipherr@gmail.com Subject: Re: *BSD user-ppp local root (when conditions permit) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Mar 2008 01:25:11 -0000 Eygene Ryabinkin napsal/wrote, On 03/02/08 00:06: >> 1. Run ppp >> 2. type the following (or atleat some variation of) ... > Yes, good catch: looks like stack-based buffer overflow > Could you please test the following rough patch It seems you are going to cut of part of line silently. IMHO - the line shall be rejected as invalid at all or warning needs to be issued at least ... Someone may create so long line (unintentionally), it will not work for him with no hint why - it's not so polite ... Dan