
BSD libc contains a buffer overflow vulnerability - kumaranvpl
https://www.kb.cert.org/vuls/id/548487
======
topspin
The flaw appears in the oldest version of the source on GitHub, circa 1994;
"BSD 4.4 Lite Lib Sources." Who knows how far back it really goes.

It's really basic; get the kernel to cough up a bad sockaddr and bcopy will
scribble on your memory. That may seem far fetched but then you remember LKM
and maybe not. Incidentally OpenBSD dropped LKM support in 2014 [1],
presumably for hardening purposes.

[1]
[https://news.ycombinator.com/item?id=8554003](https://news.ycombinator.com/item?id=8554003)

~~~
ben_bai
4.3BSD-Reno, basically unchanged since 1990 until yesterday.

[http://minnie.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-
Reno/src...](http://minnie.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-
Reno/src/lib/libc/net/linkaddr.c)

Personally I'm more worried about the function returning obuf, a pointer to a
stack variable in link_ntoa.

~~~
tedunangst
That's not on the stack.

~~~
ben_bai
Oh indeed. Static it is...

------
neom
Unrelated: In responsible disclosure, is it standard to notify the biggest
vendor first? I noticed apple was notified on Oct 10th, quite some time prior
to the other vendors.

~~~
jlgaddis
Perhaps it was discovered by an individual on OS X, reported (by the
individual) to Apple, reported (by either the individual or Apple) to CERT,
then CERT looked at it, found the other affected operating systems, and
reported it to them?

There's a number of ways this particular "ordering" could have occurred.

~~~
richardwhiuk
It's possible it was reported to Apple because they have a vulnerability
bounty program, so they individual who reported it could get a reward. That
might create an incentive to report it to larger targets who may run larger
bounty programs.

------
jimktrains2
It'll be interesting to know if OpenBSD is affected. They don't seem to have
responded yet.

~~~
elchief
tedu wrote a post about it: [http://www.tedunangst.com/flak/post/who-even-
calls-link-ntoa](http://www.tedunangst.com/flak/post/who-even-calls-link-ntoa)

------
em3rgent0rdr
Top-Right corner shows this is Sponsored by the Department of Homeland
Security...nice to hear that agency is doing something good for regular
people's security.

from [http://www.dhs.gov/office-cybersecurity-and-
communications](http://www.dhs.gov/office-cybersecurity-and-communications)
"The Office of Cybersecurity and Communications (CS&C), within the National
Protection and Programs Directorate, is responsible for enhancing the
security, resilience, and reliability of the Nation’s cyber and communications
infrastructure."

~~~
CamperBob2
_" The Office of Cybersecurity and Communications (CS&C), within the National
Protection and Programs Directorate, is responsible for enhancing the
security, resilience, and reliability of the Nation’s cyber and communications
infrastructure."_

That used to be part of the NSA's charter, more or less, before they decided
that playing offense was more fun.

