...

...

On my BSDI2.0 machine running Netscape 1.1N, this causes a segmentation fault and subsequent coredump. GDB reports nothing useable (stripped executable)

I cannot reproduce this bug on the following platforms:

Solaris 2.5 beta/Netscape 1.1N

I've reproduced it fine under sol2.4 1.1N. The page I tested from is http://www.aloha.net/~newsham/test.html. Simply click on the long test url and core dump. (You can view source before clicking to see what you are clicking on if you dont trust me :)

...

Howard Owen hbo@octel.com Octel Communications Corporation 1024/DC671C31 =

Ive tried this url, it does indeed core dump. Just had a quick look at the core. From first impressions, it's a global overwrite. Therefore we're not overwriting a flushed stack frame, so a syslog(3) style exploit is impossible. Global overwrites can be exploited, but due to the scenario we're looking at, I'd consider exploit chances to be very low indeed. Cheers, Neil -- Let the Mystery Be, So Watcha Want, Longing In Their Hearts, Hate My Way, M-Bike, Safari, Uncle June and Aunt Kiyoti, Daisy Dead Petals, Tuff Gnarl. ...like a badger with an afro throwing sparklers at the Pope... -- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 An Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer@c2.org