by redmail.netbsd.org with SMTP; 22 Nov 1999 16:08:11 -0000
	by aragorn.ics.muni.cz (8.8.5/8.8.5) with ESMTP id RAA19691;
	Mon, 22 Nov 1999 17:07:53 +0100 (MET)
	by dior.ics.muni.cz (8.8.5/8.8.5) with ESMTP id RAA26979;
	Mon, 22 Nov 1999 17:07:52 +0100 (MET)
	by horn.ics.muni.cz (8.8.8/8.8.5) id RAA22936;
	Mon, 22 Nov 1999 17:07:52 +0100 (MET)
From: Zdenek Salvet <salvet@ics.muni.cz>
Message-Id: <199911221607.RAA22936@horn.ics.muni.cz>
Subject: Re: amd buffer overflow attack
To: bouyer@antioche.lip6.fr (Manuel Bouyer)
Date: Mon, 22 Nov 1999 17:07:51 +0100 (MET)
Cc: netbsd-help@netbsd.org, tech-security@netbsd.org
In-Reply-To: <19991118165636.A16449@antioche.lip6.fr> from Manuel Bouyer at "Nov 18, 99 04:56:36 pm"
Reply-To: salvet@ics.muni.cz
Errors-To: salvet@ics.muni.cz
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

> On Thu, Nov 18, 1999 at 09:15:37AM -0600, Ruibiao Qiu wrote:
> > Hi, all
> > 
> > Checking out the following URL:
> > 	http://www.cert.org/advisories/CA-99-12-amd.html
> > I wonder if NetBSD is vulnerable to this attack.  OpenBSD is not,
> > but FreeBSD needs a patch for this.
> 
> NetBSD was. 1.4.1 is vulnerable, you need to upgrade to the -release branch
> or a recent -current (I don't remenber the exact date of the fix - a month or
> two).

IMNSHO, vsprintf call in xutil.c:real_plog() should be converted
to vsnprintf(ptr,1024,efmt, vargs); otherwise similar new vulnerabilities
can occur easily.

-- 
Zdenek Salvet                                              salvet@ics.muni.cz 
Ustav vypocetni techniky Masarykovy univerzity, Brno
tel.: ++420-5-41 512 257                           Fax: ++420-5-41 212 747
----------------------------------------------------------------------------
         God isn't dead, He's just trying to avoid the draft.