From owner-freebsd-security  Wed Nov 28 11:16:47 2001
Delivered-To: freebsd-security@freebsd.org
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
	by hub.freebsd.org (Postfix) with ESMTP
	id A5C1737B41B; Wed, 28 Nov 2001 11:16:44 -0800 (PST)
Received: (from wollman@localhost)
	by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id fASJGiu00666;
	Wed, 28 Nov 2001 14:16:44 -0500 (EST)
	(envelope-from wollman)
Date: Wed, 28 Nov 2001 14:16:44 -0500 (EST)
From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Message-Id: <200111281916.fASJGiu00666@khavrinen.lcs.mit.edu>
To: "Andrew R. Reiter" <arr@FreeBSD.org>
Cc: freebsd-security@FreeBSD.org
Subject: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability (fwd)
In-Reply-To: <Pine.NEB.3.96L.1011128125641.42899A-100000@fledge.watson.org>
References: <Pine.NEB.3.96L.1011128125641.42899A-100000@fledge.watson.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

<<On Wed, 28 Nov 2001 12:57:12 -0500 (EST), "Andrew R. Reiter"
<arr@FreeBSD.org> quotes a bugtrraq advisory stating:

>   The attacker must ensure that a maliciously constructed  malloc  header
>   containing the target address and it's replacement  value  are  in  the
>   right location in the uninitialized part of  the  heap.   The  attacker
>   must also place shellcode in server process memory.

...which means that this vulnerability does not exist under FreeBSD,
since PHK-malloc does not mingle its metadata with its heap.

-GAWollman


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message