LibC openBSD affected ?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

LibC openBSD affected ?

polken
its openbsd affected by http://tinyurl.com/js2vd28 ?

Vulnerability Note VU#548487 - BSD libc contains a buffer overflow
vulnerability<http://tinyurl.com/js2vd28>
tinyurl.com
The BSD libc library is vulnerable to a classic buffer overflow.

Reply | Threaded
Open this post in threaded view
|

Re: LibC openBSD affected ?

Todd C. Miller
On Tue, 06 Dec 2016 20:40:47 +0000, carlos albino garcia grijalba wrote:

> its openbsd affected by http://tinyurl.com/js2vd28 ?

Yes, the same code is present in OpenBSD.

 - todd

Reply | Threaded
Open this post in threaded view
|

Re: LibC openBSD affected ?

Peter Nicolai Mathias Hansteen
In reply to this post by polken
On 12/06/16 21:40, carlos albino garcia grijalba wrote:
> its openbsd affected by http://tinyurl.com/js2vd28 ?
>
> Vulnerability Note VU#548487 - BSD libc contains a buffer overflow
> vulnerability<http://tinyurl.com/js2vd28>
> tinyurl.com
> The BSD libc library is vulnerable to a classic buffer overflow.

Yes. See http://www.tedunangst.com/flak/post/who-even-calls-link-ntoa

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: LibC openBSD affected ?

Todd C. Miller
On Wed, 07 Dec 2016 13:25:48 +0100, "Peter N. M. Hansteen" wrote:

> Yes. See http://www.tedunangst.com/flak/post/who-even-calls-link-ntoa

Right, link_ntoa(3) is not called with untrusted input so this is
a very minor issue.  Also, route and netstat are not setuid or
setgid on OpenBSD.

 - todd

Reply | Threaded
Open this post in threaded view
|

Re: LibC openBSD affected ?

Theo de Raadt-2
> On Wed, 07 Dec 2016 13:25:48 +0100, "Peter N. M. Hansteen" wrote:
>
> > Yes. See http://www.tedunangst.com/flak/post/who-even-calls-link-ntoa
>
> Right, link_ntoa(3) is not called with untrusted input so this is
> a very minor issue.  Also, route and netstat are not setuid or
> setgid on OpenBSD.

I feel so much safer.  CERT is still performing a role they don't understand.

Reply | Threaded
Open this post in threaded view
|

Re: LibC openBSD affected ?

Mihai Popescu-3
In reply to this post by polken
| I feel so much safer.  CERT is still performing a role they don't understand.


Could you detail, please? It's too short to get it as a joke or as a
serious thing.