Re: About the vulnerabilities in tcpdump and gzip.
--kfjH4zxOES6UT95V
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2005.05.15 22:55:44 +0200, Jesper Wallin wrote:
> About a week ago, right after 5.4-RELEASE was released, I received a=20
> mail from Gentoo Linux's security announcement list about a flaw in=20
> tcpdump and gzip. Since none of them are operating system related, I=20
> assumed a -p1 and -p2 of the 5.4-RELEASE. Instead, we got a patch for=20
> the HTT security issue so I wonder, is the FreeBSD version of tcpdump=20
> and/or gzip are secured or simply forgotten/ignored?
I'm rather sure that FreeBSD is vulnerable to the tcpdump issue (since
I don't see any reason we should not be), but unfortunately the
proof-of-concept code does not work on FreeBSD, so I have not yet been
able to verify the problem. That said, an advisory is upcomming, but
I cannot give you a date yet.
It should be noted that the tcpdump issue is DoS, not remote code
execution.
I do not know the status of the gzip issue, but I will look into it.
Both tcpdump and gzip issues are certainly not ignored, but preparing
an advisory (and all the related tasks) takes some time.
--=20
Simon L. Nielsen
FreeBSD Security Team
--kfjH4zxOES6UT95V
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
iD8DBQFCifDPh9pcDSc1mlERAkE+AKCs42Z8TMaYPFAJuBfQzRuPPcGrhQCggWng
7a9mET6iXCSFDoXL0B2VI1E=
=sHnP
-----END PGP SIGNATURE-----
--kfjH4zxOES6UT95V--