tech-security: Re: NetBSD Security Advisory 2007-004: Insufficient length checking

Subject: Re: NetBSD Security Advisory 2007-004: Insufficient length checking
To: None <tech-security@NetBSD.org>
From: Anne Bennett <anne@porcupine.montreal.qc.ca>
List: tech-security
Date: 07/28/2007 13:41:04

On Thu, 29 Mar 2007, NetBSD Security-Officer wrote:

> 		 NetBSD Security Advisory 2007-004
[...]
> 		NetBSD 3.1:		affected
[...]
> Fixed:	[...]
> 		NetBSD-3-1 branch:	March 29, 2007
[...]
> To update from CVS, re-build, and re-install the kernel:
>
> 	# cd src
> 	# cvs update sys/netiso/clnp_subr.c
[and rebuild kernel]

I have tried this (cd /usr/src; cvs update sys/netiso/clnp_subr.c) and
as far as I can tell by the date stamps on clnp_subr.c (mod time
2005-02-26, ctime 2007-01-16 which is when I installed the system), I
am not getting updated code.  This is NetBSD 3.1 release (based on the
contents of /usr/src/CVS/Tag: Nnetbsd-3-1-RELEASE).  If I trace the
cvs call:

   : quill[root]:/usr/src ; cvs -t update sys/netiso/clnp_subr.c
    -> main loop with CVSROOT=anoncvs@anoncvs.netbsd.org:/cvsroot
    -> Starting server: ssh -l anoncvs anoncvs.netbsd.org cvs server
    -> Lock_Cleanup()
    -> Lock_Cleanup()

... apparently nothing to update.  Help?

Anne Bennett.