On Friday, 2002-05-24 at 10:39:23 +0200, Spybreak wrote: > Release : May 24, 2002 > Author : Spybreak (spybreakat_private) > Software : netstd > Version : 3.07-17 > URL : debian.org > Status : vendor contacted > Problem : Multiple remote buffer overflows > Netstd is a package of networking utilities and daemons > from the Debian Linux distribution. Not true. http://packages.debian.org/stable/net/netstd.html says Package: netstd 3.07-17 Legacy package that you should remove. This package exists only to provide smooth upgrades. Please remove it. And you neglected to mantion that this is a package in the soon-to-be-replaced stable release (potato), not the soon-to-be-released currently-testing woody. Since many people don't run potato anymore because it is getting a little old, this matters a lot. > It is possible to remotely overflow buffers in several utilities > from the package, through owned DNS server. > The FQDN obtained from the reply is simply copied into small fixed > size buffer, without any check on the length of the answer. I wonder how you can overflow anything in any of the files that are in netstd-3.07-17: http://packages.debian.org/cgi-bin/search_contents.pl?searchmode=filelist&word=netstd&version=stable Debian package contents search results FILE PACKAGE usr/share/doc/netstd/README.debian net/netstd usr/share/doc/netstd/changelog.Debian.gz net/netstd usr/share/doc/netstd/copyright net/netstd > The same problem is present in these utils from the netstd 3.07-17 > package: > - linux-ftpd http://packages.debian.org/cgi-bin/search_contents.pl?word=linux-ftpd&searchmode=searchfilesanddirs&case=insensitive&version=stable&arch=i386 Debian package contents search results Can't find that file, at least not in that distribution and on that architecture. > - pcnfsd Do you mean the package pcnfsd 2.0-4? I do not see any bug filed against this package, by you or anybody else. > - tftp Package tftp 0.10-1? Again, I can't find any bug filed, by you or anybody else. > - traceroute Package traceroute 1.4a5-3? Again, no bugs filed. > - from/to What is this? The package bsdmainutils 4.7.1 has a /usr/bin/from, but no 'to'. It's impossible to sift through the hits on 'to' on the Debian package search page. You do not mention having contacted anybody on the Debian team, and you do not seem to have. Please follow protocol. Lupe Christoph -- | lupe@lupe-christoph.de | http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm |
This archive was generated by hypermail 2b30 : Sat May 25 2002 - 11:23:02 PDT