CVE-2008-1391 - Multiple BSD Platforms "strfmon()" Function Integer Overflow

Adrian Portelli adrianp at
Sun Apr 6 22:18:45 UTC 2008

Simon L. Nielsen wrote:
> On 2008.04.06 12:47:11 -0700, stheg olloydson wrote:
>> According to the information at, both 6.x and 7.0 are
>> vulnerable. I see in NetBSD's CVS log for
>> src/lib/libc/stdlib/strfmon.c, they have patched this on March
>> 27.
> Note that the change in NetBSD is possibly incomplete to fix the
> issue.  I'm not sure what the final conclusion was on that.

The final conclusion was a subsequent commit on the 27th:

We're still in the process of getting the changes pulled up.


More information about the freebsd-security mailing list