Date: Wed, 5 Feb 1997 13:20:21 +1100 (EST) From: "Daniel O'Callaghan" <danny@panda.hilink.com.au> To: Karl Denninger <karl@Mcs.Net>, spork <spork@super-g.com>, jgreco@solaria.sol.net, security@freebsd.org Subject: Re: Question: 2.1.7? Message-ID: <Pine.BSF.3.91.970205094216.822F-100000@panda.hilink.com.au> In-Reply-To: <Pine.BSF.3.91.970205071344.822A-100000@panda.hilink.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 5 Feb 1997, I wrote: > On Tue, 4 Feb 1997, Karl Denninger wrote: > > There are static-linked executables which are shipped SUID with most FreeBSD > > implementations. THESE MUST BE RECOMPILED ALSO! > > > > Make very, very sure you don't have any old SUID executables laying around. > > If you do, you're vulnerable even with a libc fix. > > Thanks, I am aware of this. The package will include replacement static > suid binaries. As pointed out later in the discussion, there are also scarey thoughts of non-suid binaries becoming vulnerable by being run by root at some stage. I have no pretensions of completely understanding all of the interrelationships amongst cc, libc and the generated programs, (learning fast, mind you), so I'd like to concentrate my efforts to the Project on a more cosmetic level. At the basic level, to fix the crt0() problem in 2.1.x, one needs to rebuild libc with a new crt0(), and rebuild all statically linked binaries. It has been suggested that a 'make world' is needed, replacing all binaries, just in case. If I'm going to make security update packages for 2.1.0 and 2.1.5/6, I'd like some comments on what needs to be included. Danny
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.970205094216.822F-100000>