http://www.securityfocus.com/a...392722/2005-03-06/2005-03-12/0
a sta je ovo a ?

nemoj sad da kazes da nisi znao za ovo





salim se naravno

Nadam se da me ne pozivas na red....
To je neki tip koji je nezavisno od mene otkrio taj bug i prvi ga prijavio
developerima i sad je ljut jer sam ga ja prvi poslao na bugtraq.
Odgovorio sam na taj njegov mail, no taj post ces vidjeti tek sutra na
bugraqu, pa ga evo sada c/p-anog:

From me ........
---------------------------------------------------------------------------
Hi folks,

>>Diego Giagio
>This vulnerability was first discovered by me, on 01/Mar/2005.
> The vendor was immediatelly contacted, as you can see below:
>
>http://marc.theaimsgroup.com/?...&m=110973103628823&w=2
>http://marc.theaimsgroup.com/?...&m=110973731214683&w=2
>

Sorry, but I've discovered that Ethereal bug more than three weeks ago,
and developers were contacted few days ago (7/Mar/2005).
They said that vulnerability is already known to them, bug is fixed,
and that new version will be out during this week.
After that, advisory was sent to Bugtraq :).

I've never seen that URL before Ethereal developers pointed me to
the first one. Even if I would saw that URL before, in your post
mentioned before you've just said that there is some vulnerability in
Ethereal, and that exploit is developed as PoC, so how could I steal
anything from you???

Diego, please stop sending mails to LSS Security that we've
*STOLED* that bug from you because that is silly, and because
I would never do something like that.


If you don't believe me, here is mail transcript between me and Ethereal
developers related to this bugreport:
-----------------------------------------------------------
Leon Juranic wrote:
>>
>>> Hi,
>>>
>>> During our audit of Ethereal, we have discovered stack buffer overflow
>>> vulnerability in packet-3g-a11.c dissector that can be exploited remotely.
>>> More informations and PoC exploit are in attach.
>>> We will release this advisory in a next few days.
>>> Is that ok with you?
>>

Richard Sharpe wrote:
>> Can you wait a few more days please.
>>
>> We have a release occurring this week to fix another security problem, so
>> we would like a chance to roll this one in as well.
>

Guy Harris wrote:
> From a quick look, it appears that, unless I've missed something, this one
> *is* the other security problem.
>
> Leon, you might want to look at the current SVN version of packet-3g-a11.c -
> in particular, this change:
>
> http://anonsvn.ethereal.com/viewcvs/viewcvs.py/trunk/epan/
> dissectors/packet-3g-a11.c?rev=13574&r1=13562&r2=13574
>
> (which cleans up some other potential problems). Buildbot builds (Windows
> binaries and source tarballs) can be found at
>
> http://netmirror.org/mirror/ftp.ethereal.com/buildbot-builds/
>
> (avoiding the trans-Atlantic hop that the main Ethereal site would require) -
> get a version with a number >= 13574.
>

Guy Harris wrote:
>
>> BTW: Who notified you about that vulnerability,
>> Diego Giagio
>
>> and when?
>> A few days ago:
>
> http://www.ethereal.com/lists/ethereal-dev/200503/msg00023.html
>> and later private mail giving details.
>
-----------------------------------------------------------


Regards,
------------------------------------------
Leon Juranic, LSS Security
http://security.lss.hr

"Born under the lucky star magical,
but on this world generally tragical".
- Djole

nisi me valjda shvatio ozbiljno

naravno da ni na tren nisam pomislio da si ukrao nesto

kako si uopste mogao da saznas

mogu da zamislim koliko si se iznervirao kada si video post ovog Dijega ili kako vec :)

i sta kazes slali su ti mailove na lss da ste ukrali
kakvi lljudi

Ma nisam nista shvatio ozbiljno :) Samo sam postao ovo o cemu se radi :)
Nisam se bas previse iznervirao na Diega....bilo mi je prakticki svejedno jer sam
bug vec objavio :)

Pozdrav...