From owner-freebsd-security Mon Oct 2 13:27:36 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id NAA20645 for security-outgoing; Mon, 2 Oct 1995 13:27:36 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id NAA20640 for ; Mon, 2 Oct 1995 13:27:32 -0700 Received: from localhost (localhost [127.0.0.1]) by precipice.shockwave.com (8.6.12/8.6.12) with SMTP id NAA00523 for ; Mon, 2 Oct 1995 13:26:55 -0700 Message-Id: <199510022026.NAA00523@precipice.shockwave.com> To: security@freebsd.org Subject: heads up Date: Mon, 02 Oct 1995 13:26:54 -0700 From: Paul Traina Sender: owner-security@freebsd.org Precedence: bulk I am s-l-o-w-l-y patching up our existing eBones code to pull in the changes from kerberos patch level 9 to patch level 10. It looks like our code was a private snapshot that fell somewhere between there. Lots of bug fixes and extended key lifetimes are on the way. From owner-freebsd-security Mon Oct 2 21:40:37 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id VAA11241 for security-outgoing; Mon, 2 Oct 1995 21:40:37 -0700 Received: from relay.hp.com (relay.hp.com [15.255.152.2]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id VAA11234 for ; Mon, 2 Oct 1995 21:40:35 -0700 Received: from hpautobo.aus.hp.com by relay.hp.com with ESMTP (1.37.109.16/15.5+ECS 3.3) id AA066485231; Mon, 2 Oct 1995 21:40:33 -0700 Message-Id: <199510030440.AA066485231@relay.hp.com> Received: by hpautobo.aus.hp.com (1.37.109.16/16.2) id AA019385230; Tue, 3 Oct 1995 14:40:30 +1000 From: M C Wong Subject: screend for FreeBSD ? To: freebsd-security@freefall.freebsd.org Date: Tue, 3 Oct 95 14:40:30 EST Mailer: Elm [revision: 70.85] Sender: owner-security@FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Does anyone have the patched version of screend for FreeBSD. Preferably against the 1.1.5.1 kernel source? Thanks in advance. -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMHC+tUmThh0X7Um5AQGscwQAkSm0yus4gdAcpUNl9VA2UB/YLDvI3L2F fW+6JYs50p6PE/eYp1Zy37s5DjyDFu2zvPveOnmsuAtFm0krkokWA1hThLuNq47c Cq43BE6k7d7C/HJuxeAi5Ey8rYivRQgHfhEcYViy1ISYv0SUMI/9OBNNwjMllwTk DYYjzNQO1nQ= =sHXM -----END PGP SIGNATURE----- From owner-freebsd-security Mon Oct 2 23:20:49 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id XAA19918 for security-outgoing; Mon, 2 Oct 1995 23:20:49 -0700 Received: from puli.cisco.com (puli.cisco.com [171.69.1.174]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id XAA19911 for ; Mon, 2 Oct 1995 23:20:47 -0700 Received: (pst@localhost) by puli.cisco.com (8.6.8+c/8.6.5) id XAA23494; Mon, 2 Oct 1995 23:20:16 -0700 Date: Mon, 2 Oct 1995 23:20:16 -0700 From: Paul Traina Message-Id: <199510030620.XAA23494@puli.cisco.com> To: security@freebsd.org Subject: [cisco.external.bugtraq] (fwd) NIS library code exposure Sender: owner-security@freebsd.org Precedence: bulk ------- Start of forwarded message ------- Path: cronkite.cisco.com!newsgate.cisco.com From: ccshag@cclabs.missouri.edu ("Paul 'Shag' Walmsley") To: Multiple recipients of list BUGTRAQ Newsgroups: cisco.external.bugtraq Subject: (fwd) NIS library code exposure Message-ID: <199510020029.TAA06496@sgi6.phlab.missouri.edu> Date: 01 Oct 1995 16:29:41 PST Sender: Bugtraq List Reply-To: Bugtraq List Organization: Internet-USENET Gateway at cisco Systems Lines: 50 X-Authentication-Warning: ghoti.mcom.com: Host localhost didn't use HELO protocol To: cypherpunks@toad.com Cc: karlton@netscape.com Subject: NIS library code exposure Date: Wed, 27 Sep 1995 21:02:33 -0700 Message-ID: <14539.812260953@ghoti.mcom.com> From: Phil Karlton Sender: owner-cypherpunks@toad.com Precedence: bulk Path: news.missouri.edu!news.sprintlink.net!in1.uu.net!news.xensei.com!hudson.lm.com!mail-news-gateway!not-for-mail Newsgroups: mail.cypherpunks Approved: mail-news-gateway@hudson.lm.com Lines: 31 Once again I speak for myself and not Netscape. While investigating one of the crashes we ended up decompling some of the code in the C library. It turns out that in some UNIX systems, the code in gethostbyname_yp will copy the hostname argument onto a stack local buffer. That buffer appears to be of size MAXHOSTNAMELEN. [This is very efficient code at destroying the stack: it does not use strcpy or sprintf; there is an inline loop copying characters until it finds a NUL.] An unstated (in any documentaton I could find) limitation on calls to gethostbyname is that the "name" parameter must be a limited size string for it to work at all. I suspect this bug has been in the NIS (nee YP) code for some time. Do you have any daemons that run as root and do networking? Are you sure that all of them check the length of the host name before passing it to gethostbyname? [Avoid the fencepost error: MAXHOSTNAMELEN is really the size of the buffer and not the maximal string length. You need room for the trailing NUL.] We have not looked into the networking libraries that are typically found on a PC or Macintosh. The exposure may also be present there. PK -- Philip L. Karlton karlton@netscape.com Principal Curmudgeon http://www.netscape.com/people/karlton Netscape Communications Corporation -- - Paul "Shag" Walmsley "Praise and blame alike mean nothing." -- Virginia Woolf ------- End of forwarded message ------- From owner-freebsd-security Wed Oct 4 06:25:26 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id GAA17372 for security-outgoing; Wed, 4 Oct 1995 06:25:26 -0700 Received: from globe.indirect.com (root@globe.indirect.com [165.247.1.4]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id GAA17351 for ; Wed, 4 Oct 1995 06:25:23 -0700 Received: (from root@localhost) by globe.indirect.com (8.6.12/8.6.9) id GAA15482; Wed, 4 Oct 1995 06:25:31 -0700 To: freebsd-security@freebsd.org Path: bud.indirect.com!marcus From: Estascy@euphoria.com Newsgroups: hanse-ml.freebsd.security Subject: Euphoria Tape...Try it with a Lover! Date: 4 Oct 1995 13:25:31 GMT Organization: Internet Direct, Inc. Lines: 54 Message-ID: <44u20b$f3n@globe.indirect.com> NNTP-Posting-Host: bud.indirect.com Originator: marcus@bud.indirect.com Sender: owner-security@freebsd.org Precedence: bulk I.C.P., Suite 578-101, 5360 E. Bay Dr., Clwr., FL 34624 The Euphoria Tape Do The Euphoria Tape alone the first time, and then with a lover. It's a phenomenon you will feel within the first 3 minutes of use -- what you feel the rest of the time is unbelievable. The Euphoria Tape. It was first whispered about on college campuses, and only experimented with in seclusion, or among close friends in private settings, but it has now become a cult rush and is considered the next passion of our Cyber lifestyles. The Euphoria Tape. Not a drug, not a chemical, but an audio stimulation of brain centers controlling pleasure. And agony. And ecstacy. The buzz. An audio mesmer signal strokes the base of the mind, choking out pain sensations and producing the violent flow of... euphoria. The Euphoria Tape. Copies have changed hands from friends to friends to other friends. It is not regulated, there are no laws yet restricting use of The Euphoria Tape. The Euphoria Tape is rushing the masses. ************************************************* Stereo audio cassette. Scientific treatment included. Shipped immediately upon receipt of $11.88 personal check or money order. Absolute satisfaction guaranteed (and experienced) or full purchase price refunded. Offered only to adults 18 years or older. ******************* IntraNet Cyber Products Suite 578-101 5360 E. Bay Dr. Clearwater, FL 34624 ******************* Tape Duplication prohibited. $2.00 for Scientific Treatment. Copyright 1995 Intranet Cyber Products, All Rights Reserved. ------------------------------------------------------- From owner-freebsd-security Wed Oct 4 06:49:40 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id GAA19158 for security-outgoing; Wed, 4 Oct 1995 06:49:40 -0700 Received: from globe.indirect.com (root@globe.indirect.com [165.247.1.4]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id GAA19139 for ; Wed, 4 Oct 1995 06:49:35 -0700 Received: (from root@localhost) by globe.indirect.com (8.6.12/8.6.9) id GAA17464; Wed, 4 Oct 1995 06:49:43 -0700 To: freebsd-security@freefall.FreeBSD.org Path: bud.indirect.com!marcus From: Estascy@euphoria.com Newsgroups: muc.lists.freebsd.security Subject: Euphoria Tape...Try it with a Lover! Date: 4 Oct 1995 13:49:43 GMT Organization: Internet Direct, Inc. Lines: 54 Message-ID: <44u3dn$h1m@globe.indirect.com> NNTP-Posting-Host: bud.indirect.com Originator: marcus@bud.indirect.com Sender: owner-security@FreeBSD.org Precedence: bulk I.C.P., Suite 578-101, 5360 E. Bay Dr., Clwr., FL 34624 The Euphoria Tape Do The Euphoria Tape alone the first time, and then with a lover. It's a phenomenon you will feel within the first 3 minutes of use -- what you feel the rest of the time is unbelievable. The Euphoria Tape. It was first whispered about on college campuses, and only experimented with in seclusion, or among close friends in private settings, but it has now become a cult rush and is considered the next passion of our Cyber lifestyles. The Euphoria Tape. Not a drug, not a chemical, but an audio stimulation of brain centers controlling pleasure. And agony. And ecstacy. The buzz. An audio mesmer signal strokes the base of the mind, choking out pain sensations and producing the violent flow of... euphoria. The Euphoria Tape. Copies have changed hands from friends to friends to other friends. It is not regulated, there are no laws yet restricting use of The Euphoria Tape. The Euphoria Tape is rushing the masses. ************************************************* Stereo audio cassette. Scientific treatment included. Shipped immediately upon receipt of $11.88 personal check or money order. Absolute satisfaction guaranteed (and experienced) or full purchase price refunded. Offered only to adults 18 years or older. ******************* IntraNet Cyber Products Suite 578-101 5360 E. Bay Dr. Clearwater, FL 34624 ******************* Tape Duplication prohibited. $2.00 for Scientific Treatment. Copyright 1995 Intranet Cyber Products, All Rights Reserved. -------------------------------------------------------