Mailinglist Archive: opensuse-security (260 mails)

< Previous Next >
Re: [suse-security] XFree86 4.0 local buffer overflow
  • From: Rupert Kittinger <kittinger@xxxxxxxxxxxxxxxxxxxxxx>
  • Date: Tue, 18 Jul 2000 10:22:50 +0200
  • Message-id: <397413DA.44353D39@xxxxxxxxxxxxxxxxxxxxxx>
tschweikle@xxxxxxxxxx wrote:
>
> fm@xxxxxxxxxxx:
>
> > I reasoned that it's the same code base, and if so,
> > then great. If not, sorry for the alert, but I
> > didn't want to wait for confirmation.
>
> They use the same code base. Buffer overflow exploits
> may work with both OS if using the same compiler and
> options on that compiler and beeing not related to
> system calls, because these are different for every
> operating system. Making some exploits work only
> on a certain OS.
>

Yes, but if the source does not check array boundaries sufficiently,
it may be possible to construct an exploit for another OS.

Exploits do not grow on trees, but once there is a known "soft spot" in
a widely used
piece of code, exploits can be expected to be available rather sooner
than later.

Rupert

--
Rupert Kittinger <kittinger@xxxxxxxxxxxxxxxxxxxxxx>
Department of Mechanics and Mechanisms
Graz University of Technology
Kopernikusgasse 24/III A-8010 Graz
pgp-keyID: EB7E995C; get public key from
http://www.openpgp.net/pgpsrv.html

< Previous Next >
References