Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 19 Jul 2001 10:52:40 -0700 (PDT)
From:      Matt Dillon <dillon@earth.backplane.com>
To:        Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= <silence@oksala.org>
Cc:        security@FreeBSD.ORG
Subject:   Re: [PATCH] Re: FreeBSD remote root exploit ?
Message-ID:  <200107191752.f6JHqer75736@earth.backplane.com>
References:  <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> <3B5718A0.2B650C9C@oksala.org>

next in thread | previous in thread | raw e-mail | index | archive | help

:go to /usr/src/crypto/telnet/telnetd
:and type
:shell~# patch -p < /where/is/the/file.patch

    It isn't really safe code.  If the data being formatted is large
    r then the format argument you can overflow the buffer, and the
    'ret' from vsnprintf() is the amount of data that would have been
    output if the buffer had been large enough, not the amount of data
    that was actually output.  Also, size_t is unsigned, which means
    if you overflow the buffer by one byte you are screwed.

    There appear to be a number of places (mainly the DIAG code, but also
    the ENCRYPT code) where this is true.  This patch will fix the existing
    options-based hole, but doesn't close it.

						-Matt

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107191752.f6JHqer75736>