From owner-freebsd-security  Mon May 15 13:17:42 2000
Delivered-To: freebsd-security@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id 399F837B658; Mon, 15 May 2000 13:17:39 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
Received: from localhost (kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id NAA80408;
	Mon, 15 May 2000 13:17:39 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs
Date: Mon, 15 May 2000 13:17:39 -0700 (PDT)
From: Kris Kennaway <kris@FreeBSD.org>
To: Visigoth <visigoth@telemere.net>
Cc: freebsd-security@freebsd.org
Subject: Re: qpopper discussion on BUGTRAQ
In-Reply-To: <Pine.BSF.4.21.0005150922270.70154-100000@shell.telemere.net>
Message-ID: <Pine.BSF.4.21.0005151314410.79374-100000@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, 15 May 2000, Visigoth wrote:

> 	I was just curious as to what the freebsd stance on the possible
> qpopper-2.53 vuln as is being discussed on BUGTRAQ.  Has this vuln been
> tested with the freebsd port?  Are there known issues?  I am going to
> (hopefully) be taking a look at the "exploitability" of the freebsd port
> for qpopper-2.53 but I was wondering if someone had already done all the
> work.  I under stand that the exploit posted on bugtraq would need to be
> modified, but I am wondering if the security/ports team have taken care of
> the offending piece of code already (which is so often the case)...

I'm not sure which of the reported vulnerabilities you're referring to,
but in either case I know of the answer is "Blah blah blah, NOT
vulnerable..."

* BSD systems dont have the tempfile creation problems which can deny
service to a user's mailbox (only SYSV directory semantics)
* FreeBSD fixed the "fgets() wraparound" bug prior to the release of the
bugtraq advisory.

It's been on my plate to release an advisory about this since it was
fixed, but I've been sidetracked with other issues. My apologies - I'll ty
and get my backlog cleared this week.

Kris

----
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message