The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

buffer overflow bug in glibc 2.0.5c

To: security@debian.org
Subject: buffer overflow bug in glibc 2.0.5c
From: Zack Weinberg <zack@rabi.phys.columbia.edu>
Date: Wed, 17 Dec 1997 09:59:39 -0500
Delivered-to: security@debian.org
Resent-cc: recipient list not shown: ;
Resent-date: 17 Dec 1997 14:51:22 -0000
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"KbfJM.A.i3.qb-l0"@debian>
Resent-sender: debian-private-request@lists.debian.org

Hi, I'm with glibc development, and we wanted to make sure you were notified
of this bug, as it is a potentially major security hole.

zw

------- Forwarded Message

Date:    Tue, 16 Dec 1997 17:29:11 +0100
From:    Andreas Jaeger <aj@ARTHUR.RHEIN-NECKAR.DE>
To:      BUGTRAQ@NETSPACE.ORG
Subject: Re: Buffer Overruns in RedHat 5.0

The appended patch should fix the Buffer Overrun in GNU libc 2.0.x
(RedHat 5.0 contains glibc 2.0.5c). Thanks for pointing out the bug,
Wilton.

The patch will be in glibc 2.0.6 which should be released soonish
(we're pre-release testing at the moment).  The patch has been for
some time already in the development version of glibc 2.1 but didn't
make it in the 2.0 track:-(. Sorry about that.

I'd advise everybody to upgrade to 2.0.6 when it's released since it
will fix other bugs as well.

Andreas

1997-05-23 15:26  Philip Blundell  <pjb27@cam.ac.uk>

        * resolv/res_query.c (res_querydomain): Avoid potential buffer
        overrun.  Reported by Dan A. Dickey <ddickey@transition.com>.

$ diff -u /dbase/glibc-2.0.6pre4/resolv/res_query.c /usr/glibc/src/libc/resolv/
--- /dbase/glibc-2.0.6pre4/resolv/res_query.c   Mon Jan  6 23:05:43 1997
+++ /usr/glibc/src/libc/resolv/res_query.c      Mon Dec  8 09:05:53 1997
@@ -321,7 +321,7 @@
        u_char *answer;         /* buffer to put answer */
        int anslen;             /* size of answer */
 {
-       char nbuf[MAXDNAME];
+       char nbuf[MAXDNAME * 2 + 2];
        const char *longname = nbuf;
        int n;

--
 Andreas Jaeger   aj@arthur.rhein-neckar.de    jaeger@informatik.uni-kl.de
  for pgp-key finger ajaeger@alma.student.uni-kl.de
    http://www.student.uni-kl.de/~ajaeger/

------- End of Forwarded Message

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Prev by Date: Re: debian pppd chatscript (fwd)
Next by Date: Re: Logo license
Previous by thread: Re: ldso vulnerability.
Next by thread: Deb the Penguin should *not* be a .jpg.
Index(es):
- Date
- Thread