Date: Thu, 19 Jul 2001 10:52:40 -0700 (PDT) From: Matt Dillon <dillon@earth.backplane.com> To: Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= <silence@oksala.org> Cc: security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? Message-ID: <200107191752.f6JHqer75736@earth.backplane.com> References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> <3B5718A0.2B650C9C@oksala.org>
next in thread | previous in thread | raw e-mail | index | archive | help
:go to /usr/src/crypto/telnet/telnetd :and type :shell~# patch -p < /where/is/the/file.patch It isn't really safe code. If the data being formatted is large r then the format argument you can overflow the buffer, and the 'ret' from vsnprintf() is the amount of data that would have been output if the buffer had been large enough, not the amount of data that was actually output. Also, size_t is unsigned, which means if you overflow the buffer by one byte you are screwed. There appear to be a number of places (mainly the DIAG code, but also the ENCRYPT code) where this is true. This patch will fix the existing options-based hole, but doesn't close it. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107191752.f6JHqer75736>