Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 9 Feb 1997 11:13:03 -0500 (EST)
From:      Dev Chanchani <dev@trifecta.com>
To:        David Greenman <dg@root.com>
Cc:        tqbf@enteract.com, sadmin@roundtable.cif.rochester.edu, freebsd-security@FreeBSD.ORG
Subject:   Re: 2.1.7 
Message-ID:  <Pine.BSF.3.91.970209111131.2503B-100000@www.trifecta.com>
In-Reply-To: <199702090655.WAA07032@root.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 8 Feb 1997, David Greenman wrote:

>    crt0 is static and part of every binary.
> 
>    The real problem is with what crt0 calls - _startup_setlocale() in libc,
> which does a getenv of PATH_LOCALE and copies it to a stack buffer without
> bounds checking. I removed the getenv call from the libc code, so this attack
> simply doesn't exist anymore. Anything that is built shared/dynamic will 
> get the new libc and thus will no longer be vulnerable.

_startup_setlocale() actually does the getenv from PATH_LOCALE, however, 
_startup_setrunlocale() actually copies PATH_LOCALE over name[1024].

I was under the impression that re-building libc would not work because 
such utilities as ping, at, etc are built statically, thus having the 
buggy code in the utilities.





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.970209111131.2503B-100000>