Date: Sun, 06 Apr 2008 23:01:28 +0100 From: Adrian Portelli <adrianp@stindustries.net> To: "Simon L. Nielsen" <simon@FreeBSD.org> Cc: freebsd-security@freebsd.org, stheg olloydson <stheg_olloydson@yahoo.com> Subject: Re: CVE-2008-1391 - Multiple BSD Platforms "strfmon()" Function Integer Overflow Message-ID: <47F94838.6060105@stindustries.net> In-Reply-To: <20080406205506.GE1127@FreeBSD.org> References: <185727.37681.qm@web32704.mail.mud.yahoo.com> <20080406205506.GE1127@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Simon L. Nielsen wrote: > On 2008.04.06 12:47:11 -0700, stheg olloydson wrote: > >> According to the information at mitre.org, both 6.x and 7.0 are >> vulnerable. I see in NetBSD's CVS log for >> src/lib/libc/stdlib/strfmon.c, they have patched this on March >> 27. > > Note that the change in NetBSD is possibly incomplete to fix the > issue. I'm not sure what the final conclusion was on that. > The final conclusion was a subsequent commit on the 27th: http://archive.netbsd.se/?ml=netbsd-source-changes&a=2008-03&m=6750722 http://archive.netbsd.se/?ml=netbsd-source-changes&a=2008-03&m=6846592 We're still in the process of getting the changes pulled up. adrian.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47F94838.6060105>