OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: OpenBSD Security Advisory
From: Tim Yardley (yardleyUIUC.EDU)
Date: Wed Oct 04 2000 - 12:48:31 CDT

I would like to add to this in stating that it seems to almost always be
OpernBSD's practice to silently fix bugs. I also agree that it is not in
the best interest of everyone else out there.

To expound upon the fstat issue, on 2.6 (using the canned exploit) you get
egid=2 (kmem). 2.8 does not give you a shell, but instead results in a
"File name too long" message.

/tmy

At 02:31 AM 10/4/2000, K2 wrote:
> Here is another exploit for an application (fstat) that
>OpenBSD's
>format string audit has seemingly forgotten about. What I would like to

<snip>

>Where are these advisories from the OpenBSD TEAM? Is their pride to
>great to accept these bugs, code fix, announce patch and move on?
>
>I do not believe that silently fixing vulnerabilities is in the best
>interest of anybody.
>
>------------------
>K2 (ktwoktwo.ca)
>http://www.ktwo.ca
>
>PS. Thx caddis for some tips ;)/*
> * theoBSD fstat - private caddis & K2 release
> * TagTeam exploit coding $_*#%*&(#%(**($*($
> *
> * greets: #!adm, #!teso, #!w00w00
> *
> */

<snip>

/tmy

-- Diving into infinity my consciousness expands in inverse
    proportion to my distance from singularity

+-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- -
--------------+
| Tim Yardley (yardleyuiuc.edu)
| http://www.students.uiuc.edu/~yardley/
+-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- -
--------------+