Date: Fri, 18 Mar 2005 00:26:56 -0500 From: David Schultz <das@FreeBSD.ORG> To: Colin Percival <cperciva@FreeBSD.ORG> Cc: freebsd-security@FreeBSD.ORG Subject: Re: no patch, is there a problem Message-ID: <20050318052656.GA40243@VARK.MIT.EDU> In-Reply-To: <423A19B2.7000602@freebsd.org> References: <423A1842.4050603@open-networks.net> <423A19B2.7000602@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 17, 2005, Colin Percival wrote: > Timothy Smith wrote: > > http://www.securityfocus.com/bid/12825/info/ > > > > no patch or anything, is there any action on this? > > We're not affected. The problem is in copyoutstr(), > which doesn't exist in FreeBSD. > > I've sent an email to securityfocus advising them of > this. It exists on FreeBSD/alpha because it was blindly copied from NetBSD. However, we don't use it, and it appears to do proper validation anyway. I'm not sure whether the bugtraq submitter is intentionally spreading FUD or just lazy; the assertion that we do ``no validation'' in copyout is patently false. It seems that someone just copied a list of all FreeBSD CVS branches without actually looking at the source or contacting security@freebsd.org. Sigh.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050318052656.GA40243>