From owner-freebsd-security Tue Oct 31 0:11:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from orhi.sarenet.es (orhi.sarenet.es [192.148.167.5]) by hub.freebsd.org (Postfix) with ESMTP id 9ED2837B4F9; Tue, 31 Oct 2000 00:11:26 -0800 (PST) Received: from sarenet.es (sollube.sarenet.es [192.148.167.16]) by orhi.sarenet.es (Postfix) with SMTP id AC6F6D2776; Tue, 31 Oct 2000 09:09:04 +0000 (WET) Received: from sarenet.es ([192.148.167.77]) by sarenet.es ; Tue, 31 Oct 2000 09:11:01 +0100 Message-ID: <39FE7E95.60F46EB5@sarenet.es> Date: Tue, 31 Oct 2000 09:11:01 +0100 From: Borja Marcos X-Mailer: Mozilla 4.73 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: security-advisories@freebsd.org, security@freebsd.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:61.tcpdump References: <20001030231311.7642A37B680@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FreeBSD Security Advisories wrote: > > Several overflowable buffers were discovered in the version of tcpdump > included in FreeBSD, during internal source code auditing. Some > simply allow the remote attacker to crash the local tcpdump process, > but there is a more serious vulnerability in the decoding of AFS ACL > packets in the more recent version of tcpdump (tcpdump 3.5) included > in FreeBSD 4.0-RELEASE, 4.1-RELEASE and 4.1.1-RELEASE, which may allow > a remote attacker to execute arbitrary code on the local system > (usually root, since root privileges are required to run tcpdump). Something I love in FreeBSD: You don't need to be root. Just need permissions to access /dev/bpf?. Perhaps you could recommend running it as an ordinary user? The same can be said of argus, snort and other IDSs. Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message