The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Question about libc6 buffer overrun

To: security@debian.org
Subject: Question about libc6 buffer overrun
From: Lee Brotzman <leb@nasirc.hq.nasa.gov>
Date: Mon, 22 Dec 1997 18:37:51 -0500 (EST)
Delivered-to: security@debian.org
Resent-cc: recipient list not shown: ;
Resent-date: 22 Dec 1997 23:28:58 -0000
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"OhfUHD.A.oxE.5evn0"@debian>
Resent-sender: debian-private-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----

Greeting,

I work on the staff of the NASA Incident Response Capability. We are currently
developing a NASA-wide bulletin concerning a buffer-overrun vulnerability in
GNU Lib C 2 that was recently announced on the Bugtraq mailing list. 

I perused the packages for the "Hamm" release of Debian, and it looked to
me that the libc6_2.0.5c-0.1.deb package was last updated on October 5.
Can you tell me if the package has been patched to fix the problem, or when
a patched might might become available?  The information would be most helpful
to NASA systems administrators.

For your information, I have appended a copy of the Bugtraq message that
contains the patch below. More information can be obtained from the Bugtraq
mailing list archive at http://www.geek-girl.com/bugtraq/1997_4/

Thank you very much,

- --
- -- Lee E. Brotzman, NASA Automated Incident Response Capability (NASIRC)
- -- Phone: 814-861-5028  Fax: 814-861-3806  Email: leb@nasirc.hq.nasa.gov

Re: Buffer Overruns in RedHat 5.0

Andreas Jaeger (aj@ARTHUR.RHEIN-NECKAR.DE)
Tue, 16 Dec 1997 17:29:11 +0100

   * Messages sorted by: [ date ][ thread ][ subject ][ author ]
   * Next message: Aleph One: "CERT Advisory CA-97.28 - Teardrop_Land"
   * Previous message: Vadim Kolontsov: "[vadim@tversu.ru: Re: Linux
     inetd..]"
   * In reply to: Wilton Wong - ListMail: "Buffer Overruns in RedHat 5.0"
   * Next in thread: Cristian Gafton: "Re: Buffer Overruns in RedHat 5.0"

The appended patch should fix the Buffer Overrun in GNU libc 2.0.x
(RedHat 5.0 contains glibc 2.0.5c). Thanks for pointing out the bug,
Wilton.

The patch will be in glibc 2.0.6 which should be released soonish
(we're pre-release testing at the moment).  The patch has been for
some time already in the development version of glibc 2.1 but didn't
make it in the 2.0 track:-(. Sorry about that.

I'd advise everybody to upgrade to 2.0.6 when it's released since it
will fix other bugs as well.

Andreas

1997-05-23 15:26  Philip Blundell  <pjb27@cam.ac.uk>

        * resolv/res_query.c (res_querydomain): Avoid potential buffer
        overrun.  Reported by Dan A. Dickey <ddickey@transition.com>.

$ diff -u /dbase/glibc-2.0.6pre4/resolv/res_query.c /usr/glibc/src/libc/resolv/
- --- /dbase/glibc-2.0.6pre4/resolv/res_query.c   Mon Jan  6 23:05:43 1997
+++ /usr/glibc/src/libc/resolv/res_query.c      Mon Dec  8 09:05:53 1997
@@ -321,7 +321,7 @@
        u_char *answer;         /* buffer to put answer */
        int anslen;             /* size of answer */
 {
- -       char nbuf[MAXDNAME];
+       char nbuf[MAXDNAME * 2 + 2];
        const char *longname = nbuf;
        int n;

- --
 Andreas Jaeger   aj@arthur.rhein-neckar.de    jaeger@informatik.uni-kl.de
  for pgp-key finger ajaeger@alma.student.uni-kl.de
    http://www.student.uni-kl.de/~ajaeger/

   * Next message: Aleph One: "CERT Advisory CA-97.28 - Teardrop_Land"
   * Previous message: Vadim Kolontsov: "[vadim@tversu.ru: Re: Linux
     inetd..]"
   * In reply to: Wilton Wong - ListMail: "Buffer Overruns in RedHat 5.0"
   * Next in thread: Cristian Gafton: "Re: Buffer Overruns in RedHat 5.0"

-----BEGIN PGP SIGNATURE-----
Version: PGP 4.01 Business Edition

iQEVAwUBNJ74YuodtmWmZKkzAQFBlQf+MFIUMEc0VGqnGTLZMg9wJnkIuGTrwmuE
i9CC2TWAP41CHwcusc+NB7AiOBsJZinicYl790H0kcaG6ES7BsCygZB+Nh0kjvVH
BVvjFEnvXXCEunJz8lvd988Ig8bNPdAOaYuyRV6hEMgzG+MSyyAEqLapz2eW8upV
XX0ZrneBZCI8TE4qmNfAZINnCUtqt1tnlQlo4Zw6WSn0DrNCKCKB9pu5BPnlbfIv
Ze11n5rnU+RRScnK+ghDuSHrMIl/i5nt0t2ZjAl3U4zKWvDt0T3afwk41En40RvS
Nj4DknYeqmtReNLM7x712yg8zd1m8vkidaYscVzoD0aZmebhAs8Uog==
=H9kE
-----END PGP SIGNATURE-----


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Prev by Date: Re: Debian Penguin Logo Automatic License
Next by Date: Re: Debian Penguin Logo Automatic License
Previous by thread: Ian Jackson in S.F.
Next by thread: Re: Question about libc6 buffer overrun
Index(es):
- Date
- Thread