Date: Tue, 29 Aug 1995 19:23:36 -0400 (EDT) From: "Jonathan M. Bresler" <jmb@kryten.Atinc.COM> To: Bruce Evans <bde@zeta.org.au> Cc: security@freebsd.org Subject: Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 (fwd) Message-ID: <Pine.3.89.9508291953.B15948-0100000@kryten.atinc.com> In-Reply-To: <199508291811.EAA28657@godzilla.zeta.org.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 30 Aug 1995, Bruce Evans wrote: > >from a quick persual of the syslog.c that we have in -stable, i'd say > >that FreeBSD is vunerable to this attack. our syslog has fixed size > >buffers and uses sprintf to write to them. should be changed to > >snprintf--a quick persual says that should do the trick > > >shades of rtm > > Anyone for execute-protected data by default if the machine can support > it? Programs that want to execute data should have to request it and > everything else would be more secure. the segment descriptors support the text (code) vs data identification. this would be a big win regarding security (and writing to wild pointers that hit your own code segment ;) we should still examine all the system libraries for similar problems (buffer overrun). this was the exact same problem that rtm used to compromise fingerd, it used gets(), syslog() used sprintf(). > > Bruce > Jonathan M. Bresler jmb@kryten.atinc.com | Analysis & Technology, Inc. FreeBSD Postmaster jmb@FreeBSD.Org | 2341 Jeff Davis Hwy play go. | Arlington, VA 22202 ride bike. hack FreeBSD.--ah the good life | 703-418-2800 x346
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.3.89.9508291953.B15948-0100000>