Date: Sat, 2 Aug 1997 17:25:53 +0300 (EET DST) From: Ruslan Ermilov <ru@ucb.crimea.ua> To: joerg_wunsch@uriah.heep.sax.de Cc: ru@ucb.crimea.ua, jkh@time.cdrom.com, freebsd-bugs@FreeBSD.ORG, imp@village.org Subject: Re: CERT Advisory CA-97.17 - Vulnerability in suidperl (sperl) question... Message-ID: <199708021425.RAA07998@relay.ucb.crimea.ua> In-Reply-To: <19970802152306.IZ53286@uriah.heep.sax.de> from "J Wunsch" at Aug 2, 97 03:23:06 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, J"oerg & all! You wrote: > That's not fully right. If you read Warner's name in the advisory, it > shouldn't surprise you too much to see: > > revision 1.3 > date: 1997/05/22 21:40:08; author: imp; state: Exp; lines: +5 -2 > Fix buffer overload that might lead to root. > > (In Perl4, that's in stab.c.) > > The problem in toke.c was still unfixed. Below's a patch (basically > the patch from the CA, adapted for Perl4). Warner, can you please > review it? For CERT Advisory CA-97.16 - ftpd Signal Handling Vulnerability there is a response from FreeBSD Project: | The FreeBSD Project | =================== | | The FreeBSD Project has informed AUSCERT that the vulnerability | described in this advisory has been fixed in FreeBSD-current (from | January 27, 1997), and will be fixed in the upcoming FreeBSD 2.2 | release. All previous versions of FreeBSD are vulnerable. For CERT Advisory CA-97.17 - Vulnerability in suidperl (sperl) there is no such response from FreeBSD Project. Because no response was made by FreeBSD Project to the CA-97.17, why there is no at least GNATS entry for it? How people (having no CVS) do know, that FreeBSD is not vulnerable? TIA, -- Ruslan A. Ermilov System Administrator ru@ucb.crimea.ua United Commercial Bank +380-652-247 647 Simferopol, Crimea
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199708021425.RAA07998>