From owner-freebsd-security Sat Jan 13 15:42:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 78A9C37B404 for ; Sat, 13 Jan 2001 15:42:11 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id PAA02417; Sat, 13 Jan 2001 15:41:44 -0800 Date: Sat, 13 Jan 2001 15:41:44 -0800 From: Kris Kennaway To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: [!H] Tcpdump 3.5.2 remote root vulnerability (fwd) Message-ID: <20010113154144.A2379@citusc.usc.edu> References: <20010112184529.B25168@citusc.usc.edu> <200101131323.f0DDNX518734@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="BXVAT5kNtrzKuDFl" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <200101131323.f0DDNX518734@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Sat, Jan 13, 2001 at 05:23:22AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --BXVAT5kNtrzKuDFl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jan 13, 2001 at 05:23:22AM -0800, Cy Schubert - ITSD Open Systems G= roup wrote: > I do recall the advisory which mainly patches some calls from sprintf()= =20 > to snprintf(), however the advisory from BUGTRAQ that I had forwarded=20 > to this list patches two calls to sscanf(). Are you saying that we=20 > tackled the same problem differently or did we just fix a different=20 > buffer overrun condition? I believe it attempts to fix one of the problems we fixed (but does it incorrectly, by truncating a string to 127 bytes which may legitimately be up to 2048 bytes long in the real world) > If this is a different problem, there are two other sscanf's in=20 > print-atalk.c that were not discussed in the advisory that need fixing. These are not exploitable: they read from /etc/atalk.names which is root-owned, and even then the buffers are sized such that they can't be overflowed. Kris --BXVAT5kNtrzKuDFl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6YOe4Wry0BWjoQKURAmQvAKDFVlatc2lnhhB5N1MKJ0lotOGK0gCgkQap THxRSuUnDQJU3l/3EdNS3H8= =Pk3b -----END PGP SIGNATURE----- --BXVAT5kNtrzKuDFl-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message