From owner-freebsd-bugs Sun Feb 4 1:44:52 2001 Delivered-To: freebsd-bugs@freebsd.org Received: from yeti.ismedia.pl (yeti.ismedia.pl [212.182.96.18]) by hub.freebsd.org (Postfix) with SMTP id 1E67437B401 for ; Sun, 4 Feb 2001 01:44:33 -0800 (PST) Received: (qmail 69687 invoked from network); 4 Feb 2001 09:46:37 -0000 Received: from unknown (HELO lagoon.freebsd.lublin.pl) (212.182.115.11) by 0 with SMTP; 4 Feb 2001 09:46:37 -0000 Received: (qmail 72707 invoked from network); 4 Feb 2001 09:41:40 -0000 Received: from unknown (HELO riget.scene.pl) () by 0 with SMTP; 4 Feb 2001 09:41:40 -0000 Received: (qmail 72701 invoked by uid 1001); 4 Feb 2001 09:41:40 -0000 Date: Sun, 4 Feb 2001 10:41:40 +0100 From: Przemyslaw Frasunek To: Kris Kennaway Cc: freebsd-bugs@FreeBSD.org Subject: Re: bin/24810: kerberosIV and heimdal ftpd is vulnerable to buffer overflow Message-ID: <20010204104140.A72593@riget.scene.pl> References: <20010202232835.70065.qmail@riget.scene.pl> <20010204013905.A45346@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010204013905.A45346@xor.obsecurity.org>; from kris@obsecurity.org on Sun, Feb 04, 2001 at 01:39:05AM -0800 Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Feb 04, 2001 at 01:39:05AM -0800, Kris Kennaway wrote: > > KTH Kerberos5 and KerberosIV ftpd is vulnerable to strtok() based > > stack overflow. > Thanks, but AFAIK we don't compile this code. Yes, but it should be patched. opieftpd is also vulnerable - http://www.FreeBSD.org/cgi/query-pr.cgi?pr=23352 -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message