Date: Thu, 3 Jan 2008 21:57:45 +0100 From: Joerg Scheurich aka MUFTI <rusmufti@helpdesk.bera.rus.uni-stuttgart.de> To: ports@freebsd.org Cc: rzr@users.sf.net, Axel.Thi@ATrpms.net, awilliamson@mandriva.com, dag@wieers.com, fundawangĂ@mandriva.com, dries@ulyssis.org Subject: white_dune security problems Message-ID: <20080103205745.GA13555@helpdesk.bera.rus.uni-stuttgart.de>
next in thread | raw e-mail | index | archive | help
Hi ! There are a buffer overflow and a format string error, all versions of white_dune older than 0.29beta795 and 0.28pl13 should not be used. This also includes dune-0.13 (white_dune is a fork of dune-0.13). Unfortunatly, the security problems are located in errormessage routines, so it is rather simple to build a exploit 8-( Versions currently available without this problems are http://129.69.35.12/dune/white_dune-0.29beta796.tar.gz for the development version and http://129.69.35.12/dune/white_dune-0.28pl13.tar.gz for the stable version. The major difference between the development and the stable tree is: - the development version contains much more features and bugfixes - the user documentation of the development version and the stable version is almost idenitical 8-( see also http://www.securityfocus.com/archive/1/485724 so long MUFTI -- "Self-destruct in 5 seconds. Have a nice day...\n"); from /usr/src/linux/fs/super.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080103205745.GA13555>