Date: Mon, 6 Nov 1995 13:34:56 -0700 (MST) From: Terry Lambert <terry@lambert.org> To: davidg@root.com Cc: paul@trumpet.net.au, freebsd-questions@freebsd.org Subject: Re: Fwd: CERT Advisory CA-95:14 - Telnetd Environment Vulnerability (fwd) Message-ID: <199511062034.NAA15846@phaeton.artisoft.com> In-Reply-To: <199511060859.AAA00611@corbin.Root.COM> from "David Greenman" at Nov 6, 95 00:59:44 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > FreeBSD vulnerable > > Unfortunately, the list wasn't updated for FreeBSD. The problem is fixed in > both -current and the upcoming 2.1 release. Is this in fact even a problem? The /usr/bin/login program is an suid program, meaning that library environment variables should be ignored. There *is* a potential hole in the ldconfig, since the object (incorrectly) does not "rememeber" the link-time fully qualified path, but that exists even in the "fixed" -current. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199511062034.NAA15846>