[30902] in bugtraq
question about oracle advisory
daemon@ATHENA.MIT.EDU (Tina Bird)
Fri Jul 25 16:35:17 2003
Date: Fri, 25 Jul 2003 12:59:20 -0700 (PDT)
From: Tina Bird <tbird@precision-guesswork.com>
To: bugtraq@securityfocus.com
Message-ID: <Pine.BSO.4.53.0307251258460.4530@rhiannon.precision-guesswork.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Oracle's released three security-related patches today. I'm trying to
get my head around them to write up a Stanford Security Alert, but
there's conflicting information. According to
http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf the buffer
overflow in the EXTPROC code can only be triggered by an authenticated
user with the CREATE LIBRARY or CREATE ANY LIBRARY privilege.
According to the NGSSoftware advisory that announced the vulnerability,
the buffer overflow can be exploited without any authentication or
privilege-checking.
Anyone have any ideas?
thanks -- tbird
--
A computer lets you make more mistakes faster than any invention in human
history - with the possible exception of handguns and tequila.
-- Mitch Ratliff
http://www.precision-guesswork.com
Log Analysis http://www.loganalysis.org
VPN http://vpn.shmoo.com
tbird's Security Alerts http://securecomputing.stanford.edu/alert.html
