-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Circa 2002-12-02 10:03:20 -0800 dixit Muhammad Faisal Rauf Danka:

: CERT Advisory CA-2002-34 Buffer Overflow in Solaris X Window Font Service
:
: Original release date: November 25, 2002
: Last revised: --
: Source: CERT/CC
:
: A complete revision history can be found at the end of this file.

  [...]

: Overview
:
: The Solaris X Window Font Service (XFS) daemon (fs.auto) contains a
: remotely exploitable buffer overflow vulnerability that could allow an
: attacker to execute arbitrary code or cause a denial of service.

  [...]

: Appendix A. - Vendor Information

  [...]

: OpenBSD
:
: We do not have XFS.

Not true. Observe:

- -------- cut here --------
$ rsync -av --partial rsync://ftp3.usa.openbsd.org/ftp/3.2/i386/xbase32.tgz .
  Welcome to ftp.usa.OpenBSD.org in Boulder, CO.
  For other mirror sites visit http://www.openbsd.org/ftp.html
       _____ ____ _____ _____
      / ___ \ | _ \ / ____| __ \
     / / / /___ ___ ____ | |_) | (___ | | | |
    / / / / __ \/ _ \/ __ \| _ < \___ \| | | |
   / /__/ / /_/ / __/ / / /| |_) |____) | |__| |
   \_____/ .___/\___/_/ /_/ |____/|_____/|_____/
        /_/
               | . The proactively secure Unix-like
           . |L /| . Operating System.
       _ . |\ _| \--+._/| . Please visit the OpenBSD web site
      / ||\| Y J ) / |/| ./ at http://www.openbsd.org/
     J |)'( | ` F`.'/
   -<| F __ .-< OpenBSD 3.2 has now been released!
     | / .-'. `. /-. L___ You can order a CD of OpenBSD 3.2
     J \ < \ | | O\|.-' from http://www.openbsd.org/orders.html.
   _J \ .- \/ O | | \ |F CD sales are important to support the
  '-F -<_. \ .-' `-' L__ continued development of the project.
 __J _ _. >-' )._. |-'
 `-|.' /_. \_| F
   /.- . _.< You may mirror the OpenBSD ftp archive via:
  /' /.' .' `\ rsync -avz ftp.usa.openbsd.org::ftp
   /L /' |/ _.-'-\ rsync -avz ftp.usa.openbsd.org::ftp/sub/path
  /'J ___.---'\|
    |\ .--' V | `. ` To mirror the cvs repository please use SUP:
    |/`. `-. `._) http://www.openbsd.org/anoncvs.html#sup
       / .-.\ Or use CVSup, see:
 VK \ ( `\ http://www.openbsd.org/cvsup.html
        `.\

receiving file list ... done
xbase32.tgz
wrote 60674 bytes read 42124 bytes 1099.44 bytes/sec
total size is 9043589 speedup is 87.97
$ gzip -dc xbase32.tgz |tar -tvf - |grep -i xfs
- -rwxr-xr-x 1 root wheel 77824 Oct 2 16:50 ./usr/X11R6/bin/xfs
- -rwxr-xr-x 1 root wheel 32768 Oct 2 16:50 ./usr/X11R6/bin/xfsinfo
$
- -------- cut here --------

The X Font Server is clearly there, and has been since at least
OpenBSD-3.0. I use it daily.

Perhaps there was a miscommunication between CERT and the OpenBSD
responder (for example, a misinterpretation of "XFS" as "SGI's XFS
journalled filesystem")?

- --
jim knoble | jmknoblepobox.com | http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
"I am non-refutable." --Enik the Altrusian

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (Linux)
Comment: See http://www.pobox.com/~jmknoble/keys/ for my public key.

iEYEARECAAYFAj3tPj0ACgkQKJ/qqBOBFJFrywCgil4tbcjh4AEDWw0j5SNVN9Sv
QGAAn1cuG1Tj9REZh6P4Dvd+GbqSqXFa
=i8lQ
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]