From owner-freebsd-security@FreeBSD.ORG Thu Jan 16 20:41:10 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 43F656F; Thu, 16 Jan 2014 20:41:10 +0000 (UTC) Received: from caravan.chchile.org (caravan.chchile.org [178.32.125.136]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0AE2C16E7; Thu, 16 Jan 2014 20:41:09 +0000 (UTC) Received: by caravan.chchile.org (Postfix, from userid 1000) id 667D725E9; Thu, 16 Jan 2014 20:41:02 +0000 (UTC) Date: Thu, 16 Jan 2014 21:41:02 +0100 From: Jeremie Le Hen To: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:01.bsnmpd Message-ID: <20140116204101.GA40990@caravan.chchile.org> Mail-Followup-To: freebsd-security@freebsd.org, FreeBSD Security Advisories References: <201401142011.s0EKB8Zw082592@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201401142011.s0EKB8Zw082592@freefall.freebsd.org> User-Agent: Mutt/1.5.22 (2013-10-16) X-Mailman-Approved-At: Thu, 16 Jan 2014 21:04:30 +0000 Cc: FreeBSD Security Advisories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jan 2014 20:41:10 -0000 Hi, On Tue, Jan 14, 2014 at 08:11:08PM +0000, FreeBSD Security Advisories wrote: > > II. Problem Description > > The bsnmpd(8) daemon is prone to a stack-based buffer-overflow when it > has received a specifically crafted GETBULK PDU request. > > III. Impact > > This issue could be exploited to execute arbitrary code in the context of > the service daemon, or crash the service daemon, causing a denial-of-service. > > IV. Workaround > > No workaround is available, but systems not running bsnmpd(8) are not > vulnerable. We are supposed to have SSP in all binaries that should prevent exploitations from this kind of bugs. I am curious why it hasn't been mentioned: is it because it didn't work as expected (which would require some investigation), or is it just an omission? Regards, -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.