Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 15 May 2000 16:41:01 -0400 (EDT)
From:      Igor Roshchin <str@giganda.komkon.org>
To:        "Kris Kennaway" <kris@FreeBSD.ORG>
Cc:        Visigoth <visigoth@telemere.net>, freebsd-security@FreeBSD.ORG
Subject:   Re: qpopper discussion on BUGTRAQ
Message-ID:  <200005152041.QAA80539@giganda.komkon.org>
In-Reply-To: <Pine.BSF.4.21.0005151314410.79374-100000@freefall.freebsd.org> from "Kris Kennaway" at "May 15, 2000 01:17:39 pm"
next in thread | previous in thread | raw e-mail | index | archive | help 
> On Mon, 15 May 2000, Visigoth wrote:
> 
> > 	I was just curious as to what the freebsd stance on the possible
> > qpopper-2.53 vuln as is being discussed on BUGTRAQ.  Has this vuln been
> > tested with the freebsd port?  Are there known issues?  I am going to
> > (hopefully) be taking a look at the "exploitability" of the freebsd port
> > for qpopper-2.53 but I was wondering if someone had already done all the
> > work.  I under stand that the exploit posted on bugtraq would need to be
> > modified, but I am wondering if the security/ports team have taken care of
> > the offending piece of code already (which is so often the case)...
> 
> I'm not sure which of the reported vulnerabilities you're referring to,
> but in either case I know of the answer is "Blah blah blah, NOT
> vulnerable..."
> 
> * BSD systems dont have the tempfile creation problems which can deny
> service to a user's mailbox (only SYSV directory semantics)
> * FreeBSD fixed the "fgets() wraparound" bug prior to the release of the
> bugtraq advisory.
> 
> It's been on my plate to release an advisory about this since it was
> fixed, but I've been sidetracked with other issues. My apologies - I'll ty
> and get my backlog cleared this week.
> 
> Kris
> 
> ----

Although I am not sure which vulnerability the author of the original question
is talking about, I see that there was a recent patch
(April 17) related to (if I read it correctly) some buffer overflow,
or smth. like that...
(and IIRC there was something like that mentioned on BUGTRAQ some time
ago)

May be the author of the patch can clear up the question ?
(sorry I don't have time/possibility to check the cvs logs now
to find out how it was)

Igor




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005152041.QAA80539>