Subject: Re: converters/xlreader vulnerability fix
To: None <tech-pkg@NetBSD.org>
From: Curt Sampson <cjs@cynic.net>
List: tech-pkg
Date: 06/14/2005 10:19:37
So what do we want to do about this vulnerability? Do we want to keep
calling the program vulnerable even though it's most likely fixed? Or
does someone want to review the patch I committed and decide whether or
not it's fixed? Or do y'all just want to take my word for it that it's
fixed?

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.NetBSD.org
      Make up enjoying your city life...produced by BIC CAMERA

On Sun, 29 May 2005, Adrian Portelli wrote:

> Curt Sampson wrote:
>
>> On Mon, 9 May 2005, Jeremy C. Reed wrote:
>>
>>> (I assume nb0 means no PKGREVISION was defined or was it really set to
>>> zero?)
>>
>>
>> It was not defined.
>>
>> cjs
>
> Sorry for taking so long to respond I missed this thread.
>
> You can find the sample exploit here:
> http://securesoftware.list.cr.yp.to/archive/0/10
>
> I couldn't reproduce it on NetBSD with 0.90 and _without_ your patch.
>
> adrian.
>
>