[themafia]

> You are strictly better off with the website than without it.

Why? This is a better resource in every way: https://cgit.freebsd.org/src/commit/?id=000d5b52c19ff3858a6f...

It details the actual problem instead of showing off tired stack exploit tricks.

[tptacek]

No, that commit log is obviously not better than the page explaining the vulnerability and the exploit vectors.

Case in point: what's "tired" about the stack exploitation techniques they're using here?

And, while you're not right, even stipulating that you were, what would that matter? How is anyone better off with less explanation of a vulnerability?

[themafia]

The website explains an exploit. I've seen exploits before. The commit explains the unique issue.

I'm more interested in the why than the how.

I suppose people with different overall goals will see that differently.

[tptacek]

You didn't answer my question. What's "tired" about the exploit technique here?

[tom_]

Is that even the fix though? The problem sizeof*groups expression has already been removed by that point. This fixes something but it's not obviously related to the vulnerability description.

git log -S suggests 4cd93df95e697942adf0ff038fc8f357cbb07cf9, which looks more likely: https://cgit.freebsd.org/src/commit/?id=4cd93df95e697942adf0... - though not to say you don't want the later commit too. I'm sure you do.