From owner-freebsd-security  Thu Aug 26 20:38: 6 1999
Delivered-To: freebsd-security@freebsd.org
Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.26.10.9])
	by hub.freebsd.org (Postfix) with ESMTP id 21CDA1532A
	for <freebsd-security@FreeBSD.ORG>; Thu, 26 Aug 1999 20:37:46 -0700 (PDT)
	(envelope-from bde@godzilla.zeta.org.au)
Received: (from bde@localhost)
	by godzilla.zeta.org.au (8.8.7/8.8.7) id NAA19831;
	Fri, 27 Aug 1999 13:35:51 +1000
Date: Fri, 27 Aug 1999 13:35:51 +1000
From: Bruce Evans <bde@zeta.org.au>
Message-Id: <199908270335.NAA19831@godzilla.zeta.org.au>
To: hart@iserver.com, imp@village.org
Subject: Re: FreeBSD (and other BSDs?) local root explot]
Cc: freebsd-security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>: Has anyone investigated patches to the fts(3) functions in libc?  We've
>: seen kernel patches (to stop following symbolic links when dumping core?) 
>: but it would be nice to fix the fts(3) bugs as well that started all of
>: this. 
>
>Bruce has done that.  He's trying to get them to the point he's happy

I checked my backups and found that I fixed it on May 6 (a week before
the first BUGTRAQ mail about it that I know of).  Requests for reviews
were not responded to :-(.

>with them and track down all the implied POSIX issues that might
>result from changing fts.  I will admit that I've been slow in the

Actually, all the C portability and programming issues.  fts does
bad things like pointer arithmetic with pointers to storage that
may have been invalidated by realloc().

>This exploit pointed out several bugs.  periodic shouldn't allow its

I wanted a review because I'm not a security person and didn't want
to guess the extent of the bug.

>children to dump core (since you don't want new core files in your
>dump every day), core dumps *MUST*NOT* follow symbolic links (which
>they didn't do in 2.x, but there was some back sliding in 3.x and 4.x
>in this area), fts has an overflow which can cause problems in large,
>wide trees.  Had any one of these been different, the problem would
>not have happened.  There are also some downstream issues with many

I think the pointer bug would just have been harder to exploit.

Bruce


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message