In article <m3iu8coudx.fsfat_private>, Andreas Bogk <andreasat_private> wrote: > Raymond Dijkxhoorn <raymondat_private> writes: > > > 7. Problem description: > > > > Several potential buffer overruns have been corrected within the net-tools > > package. > > Could someone from RedHat please identify the programs in > question, their version numbers, the history of the code or something > else which allows me to find out whether I'm affected or not? > I'm not from RedHat. But maybe I can try to help a little, since I think I was the one who reported these vulnerabilities. I think the problem is present in nettools-1.52 and prior versions. There were a number of buffer overruns. To see an example of one, try grepping for strcpy in lib/inet.c; if you see something like ``strcpy(name, hp->h_name);'' you might have the vulnerable version; if you see lots of safe_strncpy()'s, you probably have the safe version. (I think.) Maybe this is enough to get you started. But please take this with a grain of salt. I am an outsider. For official answers, you'd do better to ask RedHat or the code maintainers. Credits: These buffer overruns were found with the help of an automated code auditing tool which was developed in collaboration with Jeff Foster, Eric Brewer, and Alex Aiken (also at Berkeley).
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:56 PDT