From owner-freebsd-security  Mon Feb  3 01:03:23 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id BAA16406
          for security-outgoing; Mon, 3 Feb 1997 01:03:23 -0800 (PST)
Received: from super-g.inch.com (super-g.com [204.178.32.161])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id BAA16399
          for <freebsd-security@freebsd.org>; Mon, 3 Feb 1997 01:03:20 -0800 (PST)
Received: from localhost (spork@localhost) by super-g.inch.com (8.8.5/8.6.9) with SMTP id EAA18922; Mon, 3 Feb 1997 04:08:56 -0500 (EST)
Date: Mon, 3 Feb 1997 04:08:55 -0500 (EST)
From: spork <spork@super-g.com>
X-Sender: spork@super-g.inch.com
To: Dan Cross <tenser@spitfire.ecsel.psu.edu>
cc: freebsd-security@freebsd.org
Subject: Re: Critical Security Problem in 4.4BSD crt0 
In-Reply-To: <19970203074835.13187.qmail@spitfire.ecsel.psu.edu>
Message-ID: <Pine.BSF.3.95.970203040747.18920A-100000@super-g.inch.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

What would happen if the "safe" 2.2 library were used under 2.1.6?  It
certainly compiles OK...  Or am I smoking crack here?

Charles


On Mon, 3 Feb 1997, Dan Cross wrote:

> > Question: Does this problem in 2.1.5 appear in 2.1.6 or 2.1.6.1?  Since the 
> > libraries are similar, my guess without comparing code is that the bug
> > is there.
> 
> yes, the bug does indeed appear in 2.1.6, at least.  Here's an untested
> patch which SHOULD fix the problem, though:
> 
> ----- Begin startup_setlocale.diff
> *** startup_setlocale.c	1997/02/03 07:40:46	1.1
> --- startup_setlocale.c	1997/02/03 07:41:47
> ***************
> *** 174,183 ****
>   		return(0);
>   	}
>   
> ! 	(void) strcpy(name, PathLocale);
> ! 	(void) strcat(name, "/");
> ! 	(void) strcat(name, encoding);
> ! 	(void) strcat(name, "/LC_CTYPE");
>   
>   	if ((fp = fopen(name, "r")) == NULL)
>   		return(ENOENT);
> --- 174,181 ----
>   		return(0);
>   	}
>   
> ! 	(void) snprintf(name,
> ! 		PATH_MAX, "%s/%s/LC_CTYPE", PathLocale, encoding);
>   
>   	if ((fp = fopen(name, "r")) == NULL)
>   		return(ENOENT);
> -----  End of startup_setlocale.diff
> 
> Note that there might be more problems, but I haven't got the time
> to test for them right now.  :-(
> 
> 	- Dan C.
>