Date: Sun, 9 Feb 1997 11:13:03 -0500 (EST) From: Dev Chanchani <dev@trifecta.com> To: David Greenman <dg@root.com> Cc: tqbf@enteract.com, sadmin@roundtable.cif.rochester.edu, freebsd-security@FreeBSD.ORG Subject: Re: 2.1.7 Message-ID: <Pine.BSF.3.91.970209111131.2503B-100000@www.trifecta.com> In-Reply-To: <199702090655.WAA07032@root.com>
index | next in thread | previous in thread | raw e-mail
On Sat, 8 Feb 1997, David Greenman wrote: > crt0 is static and part of every binary. > > The real problem is with what crt0 calls - _startup_setlocale() in libc, > which does a getenv of PATH_LOCALE and copies it to a stack buffer without > bounds checking. I removed the getenv call from the libc code, so this attack > simply doesn't exist anymore. Anything that is built shared/dynamic will > get the new libc and thus will no longer be vulnerable. _startup_setlocale() actually does the getenv from PATH_LOCALE, however, _startup_setrunlocale() actually copies PATH_LOCALE over name[1024]. I was under the impression that re-building libc would not work because such utilities as ping, at, etc are built statically, thus having the buggy code in the utilities.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.970209111131.2503B-100000>