freebsd security - Apr 2008 - CVE-2008-1391 - Multiple BSD Platforms "strfmon()" Function Integer Overflow

Hello,

According to the information at mitre.org, both 6.x and 7.0 are
vulnerable. I see in NetBSD's CVS log for
src/lib/libc/stdlib/strfmon.c, they have patched this on March
27.
Looking at FreeBSD's CVS log at
http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/stdlib/strfmon.c,
 shows that no changes have been made since Mon Sep 12, 2005.
Is our strfmon() not vulnerable as reported?

stheg 


     
____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster
Total Access, No Cost.
http://tc.deals.yahoo.com/tc/blockbuster/text5.com

On 2008.04.06 12:47:11 -0700, stheg olloydson wrote:
> According to the information at mitre.org, both 6.x and 7.0 are
> vulnerable. I see in NetBSD's CVS log for
> src/lib/libc/stdlib/strfmon.c, they have patched this on March
> 27.
Note that the change in NetBSD is possibly incomplete to fix the
issue.  I'm not sure what the final conclusion was on that.
> Looking at FreeBSD's CVS log at
> http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/stdlib/strfmon.c,
>  shows that no changes have been made since Mon Sep 12, 2005.
> Is our strfmon() not vulnerable as reported?
The FreeBSD version is affected and will be fixed in -CURRENT / HEAD
shortly.  The FreeBSD Security Team has yet to be able to come up with
any real cases where this is an actual security issue, so unless we
find any place where this is actually a problem, the issue will be
handled as a normal bug and merged to -STABLE branches acordingly.

Note that allowing untrusted format strings to be used is normally a
bad idea, so any application where the strfmon issue is a problem are
likely already broken.

-- 
Simon L. Nielsen
FreeBSD Security Team