From owner-freebsd-security Wed Nov 28 14:29:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 930B437B419; Wed, 28 Nov 2001 14:29:24 -0800 (PST) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id fASMTK345755; Thu, 29 Nov 2001 01:29:20 +0300 (MSK) (envelope-from ache) Date: Thu, 29 Nov 2001 01:29:20 +0300 From: "Andrey A. Chernov" To: Garrett Wollman Cc: "Andrew R. Reiter" , freebsd-security@FreeBSD.ORG Subject: Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability (fwd) Message-ID: <20011128222920.GB45632@nagual.pp.ru> References: <200111281916.fASJGiu00666@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200111281916.fASJGiu00666@khavrinen.lcs.mit.edu> User-Agent: Mutt/1.3.23.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 28, 2001 at 14:16:44 -0500, Garrett Wollman wrote: > < quotes a bugtrraq advisory stating: > > > The attacker must ensure that a maliciously constructed malloc header > > containing the target address and it's replacement value are in the > > right location in the uninitialized part of the heap. The attacker > > must also place shellcode in server process memory. > > ...which means that this vulnerability does not exist under FreeBSD, > since PHK-malloc does not mingle its metadata with its heap. The vulnerability is buffer overflow, not destroying malloc data. I fix it in wu-ftpd-2.6.1_7 -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message