Subject: Re: Fwd: CERT Advisory CA-2002-12 Format String Vulnerability in
To: Paul Hoffman <phoffman@proper.com>
From: Jeremy C. Reed <reed@reedmedia.net>
List: tech-security
Date: 05/08/2002 15:15:30
On Wed, 8 May 2002, Paul Hoffman wrote:

> - The dhcpd in 1.5.1 reports that it is 3.0b2pl24. The message below
> says that it is fixed in NetBSD but apparently not in ISC's dhcpd.
> Does this mean that we have forked from the ISC source tree? If so,
> could we come up with a slightly more sensible version numbering
> scheme?

Probably the changes are very little when compared to official 3.0 Beta 2
Patchlevel 24.

> - When we found the vulnerability 18 months ago, did we report it to
> ISC? If not, why not? If so, could they really be so lame as to muff
> this?

Just because a syslog formatting was improved doesn't mean that a security
issue was fixed. Probably the vulnerability wasn't even known.

> >      NetBSD  fixed  this  during  a  format  string  sweep  performed on
> >      11-Oct-2000.  No  released  version of NetBSD is vulnerable to this
> >      issue.

Thank you drochner, sommerfeld and Ignatios (and anyone else involved).

Similar situations have been seen in OpenBSD (and NetBSD) over the past
few years -- vulnerabilities already fixed by past code improvements.

   Jeremy C. Reed
   http://www.reedmedia.net/