From owner-freebsd-security@FreeBSD.ORG Tue Jan 21 23:24:58 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4DBDF7AB for ; Tue, 21 Jan 2014 23:24:58 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 332231476 for ; Tue, 21 Jan 2014 23:24:57 +0000 (UTC) Received: from delphij-macbook.local (c-67-188-85-47.hsd1.ca.comcast.net [67.188.85.47]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id DC55C2A4FC; Tue, 21 Jan 2014 15:24:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1390346697; bh=Z51lmKGaxUpbECK6agxtY8xwg0GbQnH0l4L+zRUixJ4=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=dg43cnXWZF52cTwDtLndZeGJYEGa6r3CFz+gGnCHGFOHoOdqvjSIrq+4zd9OflQlA C5adRO1JvOATFETAeemgb3O2DhrEsEZIEtNWXm3+uGC/v0q/Rwfa/TLe+C6sJuzlqN Bh90+zAkBURHlDh4+BjAo10SphZlpw88uWki26rY= Message-ID: <52DF01C3.4030008@delphij.net> Date: Tue, 21 Jan 2014 15:24:51 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:01.bsnmpd References: <201401142011.s0EKB8Zw082592@freefall.freebsd.org> <20140116204101.GA40990@caravan.chchile.org> In-Reply-To: <20140116204101.GA40990@caravan.chchile.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jan 2014 23:24:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 1/16/14, 12:41 PM, Jeremie Le Hen wrote: > Hi, > > On Tue, Jan 14, 2014 at 08:11:08PM +0000, FreeBSD Security > Advisories wrote: >> >> II. Problem Description >> >> The bsnmpd(8) daemon is prone to a stack-based buffer-overflow >> when it has received a specifically crafted GETBULK PDU request. >> >> III. Impact >> >> This issue could be exploited to execute arbitrary code in the >> context of the service daemon, or crash the service daemon, >> causing a denial-of-service. >> >> IV. Workaround >> >> No workaround is available, but systems not running bsnmpd(8) are >> not vulnerable. > > We are supposed to have SSP in all binaries that should prevent > exploitations from this kind of bugs. I am curious why it hasn't > been mentioned: is it because it didn't work as expected (which > would require some investigation), or is it just an omission? Yes, it does work and will abort the process (results in a Denial of Service) rather than allowing the execution. Cheers, -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJS3wHDAAoJEJW2GBstM+ns31sP/RqXFycq4QOiGzf5gb8fkLmZ 520X/5QBaXYzzMQkJfkw7S6VuszfJALT3wMbJRUe10yBoWz0NSswOOG+RJsxXR4t +Rf1tOnK/wXiGhzbW8mRPkfaThRuxQkhNLpndzwYdxFbCp7aroZZLMsCgXCanHbi OyRFooWsD19Pe1v34/5S/VCHy6TsD45ZTPhuDtkKCEAdoFGOmRfHcGA3CtS8LfE4 4cOJpAWQ6aHXSD5ijpILv10Z6JqbTR2lCow3FOpiXO2ka514WMDpqyFA5vY/ZSBh BoT8Ct5JhJ3mftG8m8xPl3gUQCE48iFj2nuZmFQU/Ny9pjvXFZAQNTk+Vir2xiut Zx770yXM55IaUf9EHN9FN25wiXrj3xIZs1j9Nc2DhuT9IAWAZeokwYFXxkFcXN6b ehRLyYa91iqEF3u6hbUm/Ee2RDxNxa4fALR5yZBYEfStzINSHVA3p2CsxLgwqrkk c8YVzq4PGnGinsDi72oTRJyL673A/svSnqNL/kqsxcz1uBHJsiWr9cKJCiHPmVwG K+i0ijhzU0QP6jOhFfvPMGONCEXqsKaUvwe/Hi3QmGd8mIJFGbTJ07BEPsYgVJXM DKXISnR91zbBvGnH/y3ru6ut5kog+4axoNRNrME6lLkX0TcKuxoAzaxY/SNfiE9P n5P1CVYW+KsLX/T6jV/4 =DBA7 -----END PGP SIGNATURE-----