Subject: Re: *READ THIS* snapshot fixes security hole *READ THIS*
To: None <igb@ftel.co.uk, andym@ftel.co.uk>
From: Ian Fitchet <I.D.Fitchet@ftel.co.uk>
List: current-users
Date: 08/29/1995 14:35:31
Ian,

	From the NetBSD mailing list.

	Must tootle off and see what it's about...

 On Tue, 29 Aug 1995 06:58:41 -0400, Thor Lancelot Simon <tls@rek.tjls.com> said:

>Re the recent 8LGM advisory about a severe security hole involving a buffer
>overrun in syslog(3) on essentially all modern Unix and Unix-like systems --

>By 9AM a set of -current binaries for the i386 should be available which fix
>the specific problem the 8LGM advisory addresses, and one other related
>problem which we noticed while reading the code after receiving the 8LGM
>advisory.  You can get them from ftp.wasabi.com.

>Be aware that some of us who've looked at the problem think there may well be
>some number of similar problems elsewhere in libc and in other libraries; these
>problems, if they exist, are probably in a great number of other operating
>systems as well.  I'll be preparing binary snapshots as other holes are found
>and fixed, and making source patches available.

>I will try to make a (somewhat awkward) binary patch kit for NetBSD/i386 1.0
>available as well, probably by a bit later this morning.

>Perry Metzger should be sending a (unpretty) patch to libc/gen/syslog.c to
>this list either as I write this or sometime soon; we hope that the core
>team will integrate it as soon as they're awake. :-)  Applying this patch and
>doing a *complete* build and install will fix your problem; you could also
>try to just rebuild libc and any statically-linked executables that use
>syslog(), but that's likely to be confusing and you _don't_ want to screw up.

>You can get the binaries from ftp.wasabi.com.  This is *not* any kind of
>official core team snapshot or release, and anything that's broken is my
>fault.  I'm doing this snapshot to try to help other NetBSD users avoid
>getting burned -- the 8LGM advisory is not an explicit how-to, but a quick
>examination of the code is all that's really needed to see how to exploit this
>hole.

>Many thanks to John Hawkinson at MIT, Perry Metzger (like me, at Wasabi) and
>Eric Volpe and Alexis Rosen at Panix for the skull sweat to come up with the
>syslog.c patch and make sure it works.  No thanks at all to programmers who
>shove external data through sprintf() and friends -- !



Cheers,

	Ian