From owner-freebsd-security Thu Sep 7 1:12:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.179]) by hub.freebsd.org (Postfix) with ESMTP id B0F9D37B962; Thu, 7 Sep 2000 01:12:13 -0700 (PDT) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id KAA23177; Thu, 7 Sep 2000 10:12:11 +0200 (MET DST) Date: Thu, 7 Sep 2000 10:12:11 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" To: Kris Kennaway Cc: Cy Schubert - ITSD Open Systems Group , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 5 Sep 2000, Kris Kennaway wrote: > On Tue, 5 Sep 2000, Cy Schubert - ITSD Open Systems Group wrote: > > > Wouldn't a FreeBSD system with Linux compatibility being utilised be > > vulnerable too? > > Yes, but only if you've installed a vulnerable linux binary which is > setuid or setgid something. We don't install any set[ug]id binaries in the > linux_base or linux_devtools ports. > > Kris However, I think that FreeBSD is vulnerable with the sudo port installed. Although sudo discards some dangerous environment variables (LD_LIBRARY_PATH) it does pass the LC_ALL, PATH_LOCALE variables through. Therefore, I belive, that any user allowed to use sudo to execute a program with elevated privileges, can potentially exploit this vulnerability. So, at least a port security advisory should be issued, and possibly the sudo port patched to discard locale-specific environment variables. Best regards Vladimir Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message