From owner-freebsd-security Sun Feb 9 08:12:08 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA22287 for security-outgoing; Sun, 9 Feb 1997 08:12:08 -0800 (PST) Received: from www.trifecta.com (www.trifecta.com [206.245.150.3]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA22278 for ; Sun, 9 Feb 1997 08:12:03 -0800 (PST) Received: (from dev@localhost) by www.trifecta.com (8.7.5/8.6.12) id LAA02531; Sun, 9 Feb 1997 11:13:03 -0500 (EST) Date: Sun, 9 Feb 1997 11:13:03 -0500 (EST) From: Dev Chanchani To: David Greenman cc: tqbf@enteract.com, sadmin@roundtable.cif.rochester.edu, freebsd-security@FreeBSD.ORG Subject: Re: 2.1.7 In-Reply-To: <199702090655.WAA07032@root.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sat, 8 Feb 1997, David Greenman wrote: > crt0 is static and part of every binary. > > The real problem is with what crt0 calls - _startup_setlocale() in libc, > which does a getenv of PATH_LOCALE and copies it to a stack buffer without > bounds checking. I removed the getenv call from the libc code, so this attack > simply doesn't exist anymore. Anything that is built shared/dynamic will > get the new libc and thus will no longer be vulnerable. _startup_setlocale() actually does the getenv from PATH_LOCALE, however, _startup_setrunlocale() actually copies PATH_LOCALE over name[1024]. I was under the impression that re-building libc would not work because such utilities as ping, at, etc are built statically, thus having the buggy code in the utilities.