Thread: privilege separation ?
View Single Post
  #13   (View Single Post)  
Old 9th April 2013
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
  
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default
http://www.cvedetails.com/cve/CVE-2011-2895/

Taken from your link, Barti.

States "The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8"

CVE was released in 2011. OpenBSD 3.8 was released in November 2005. In other words, the bug was fixed in OpenBSD six years before it was fixed in NetBSD, FreeBSD, Linux, etc...

How is this a vulnerability for OpenBSD, again?

You have to read the fine print.

Edit - This particular CVE is a perfect example of why I use OpenBSD (proactive bug hunting...it's really hard to exploit a bug in OpenBSD when the patch for it went in six years before it went public). The difference is, though, that I don't care what other people run. If they want to gamble with Linux because they're too lazy to do the research and put in the effort to maintain a system they're not familiar with, that's on them.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Last edited by rocket357; 9th April 2013 at 01:56 AM.
Reply With Quote