Date: Mon, 24 Mar 2003 13:19:07 -0600 From: D J Hawkey Jr <hawkeyd@visi.com> To: "Jacques A. Vidrine" <nectar@FreeBSD.ORG> Cc: freebsd-security@FreeBSD.ORG Subject: Re: another TCPDump update question (going slightly off-topic) Message-ID: <20030324131907.A9716@sheol.localdomain> In-Reply-To: <20030324184428.GH1911@madman.celabo.org>; from nectar@FreeBSD.ORG on Mon, Mar 24, 2003 at 12:44:28PM -0600 References: <20030311231326.82217.qmail@web10107.mail.yahoo.com> <20030324151410.GE94153@madman.celabo.org> <20030324093021.A8296@sheol.localdomain> <20030324160020.GA1911@madman.celabo.org> <20030324110222.A8625@sheol.localdomain> <20030324184428.GH1911@madman.celabo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mar 24, at 12:44 PM, Jacques A. Vidrine wrote:
>
> On Mon, Mar 24, 2003 at 11:02:22AM -0600, D J Hawkey Jr wrote:
> >
> > www.tcpdump.org shows a new libpcap "to go with" the updated tcpdump.
> > They don't say a vulnerability was in libpcap, but if so, a quick scan
> > of userland shows that pppd is linked to libpcap. By inference, I would
> > think kernel-mode PPP falls in line with this, too. Now, there's a
> > rather big "if" here, but if true, would this then qualify as worthy
> > of a SA? As an aside, isn't BPF also tied to libpcap?
>
> The `if' is indeed big. The assumptions in the above paragraph
> don't hold:
> (1) The vulnerability was in a tcpdump printer, not libpcap.
> (2) While pppd does indeed use libpcap to implement packet filtering,
> kernel-mode PPP most certainly does not.
> (3) libpcap's live-capture mode is implemented on top of bpf, not the
> other way 'round.
I stand corrected. Thanks.
> But as for this issue ... I honestly do not think it is important to
> any FreeBSD user. The only possible exception might be someone
> deploying tcpdump or tcpdump code fragments as part of an intrusion
> detection system (seems unlikely).
>
> Remember guys, we're talking about a command-line utility going into
> an infinite loop. No crashes. No code execution. No nothing, it
> just sits there printing to stdout.
OK, I picked a bad example to illustrate my "bigger concern", as this
issue isn't a security issue. My bad.
> > If my feeling is wrong...
>
> Your feeling may be wrong in only one way: you seem to be assuming
> that the tcpdump issue did not get treatment...
>
> i.e. the issue got handled with as much thoroughness as any issue that
> affects the base system does...
Oh, no, no... I didn't mean to imply that you blithly (sp?) dismissed the
vulnerability out-of-hand. I know you're better than that.
Thanks again. I'll go away now.
Dave
--
______________________ ______________________
\__________________ \ D. J. HAWKEY JR. / __________________/
\________________/\ hawkeyd@visi.com /\________________/
http://www.visi.com/~hawkeyd/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030324131907.A9716>