Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

question about oracle advisory

From: Tina Bird <tbird () precision-guesswork com>
Date: Fri, 25 Jul 2003 12:59:20 -0700 (PDT)

Oracle's released three security-related patches today.  I'm trying to
get my head around them to write up a Stanford Security Alert, but
there's conflicting information.  According to
http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf the buffer
overflow in the EXTPROC code can only be triggered by an authenticated
user with the CREATE LIBRARY or CREATE ANY LIBRARY privilege.

According to the NGSSoftware advisory that announced the vulnerability,
the buffer overflow can be exploited without any authentication or
privilege-checking.

Anyone have any ideas?

thanks -- tbird

--
A computer lets you make more mistakes faster than any invention in human
history - with the possible exception of handguns and tequila.

                                 -- Mitch Ratliff

http://www.precision-guesswork.com
Log Analysis http://www.loganalysis.org
VPN http://vpn.shmoo.com
tbird's Security Alerts http://securecomputing.stanford.edu/alert.html
Previous By Date Next
Previous By Thread Next

Current thread: