FreeBSD -- Heap vulnerability in bspatch
The implementation of bspatch does not check for a
negative value on numbers of bytes read from the diff and
extra streams, allowing an attacker who can control the
patch file to write at arbitrary locations in the heap.
This issue was first discovered by The Chromium Project
and reported independently by Lu Tung-Pin to the FreeBSD
An attacker who can control the patch file can cause a
crash or run arbitrary code under the credentials of the
user who runs bspatch, in many cases, root.
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright