From owner-freebsd-security Tue Feb 4 18:20:37 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id SAA14288 for security-outgoing; Tue, 4 Feb 1997 18:20:37 -0800 (PST) Received: from panda.hilink.com.au (panda.hilink.com.au [203.2.144.5]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA14264 for ; Tue, 4 Feb 1997 18:20:31 -0800 (PST) Received: (from danny@localhost) by panda.hilink.com.au (8.7.6/8.7.3) id NAA05244; Wed, 5 Feb 1997 13:20:21 +1100 (EST) Date: Wed, 5 Feb 1997 13:20:21 +1100 (EST) From: "Daniel O'Callaghan" To: Karl Denninger , spork , jgreco@solaria.sol.net, security@freebsd.org Subject: Re: Question: 2.1.7? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 5 Feb 1997, I wrote: > On Tue, 4 Feb 1997, Karl Denninger wrote: > > There are static-linked executables which are shipped SUID with most FreeBSD > > implementations. THESE MUST BE RECOMPILED ALSO! > > > > Make very, very sure you don't have any old SUID executables laying around. > > If you do, you're vulnerable even with a libc fix. > > Thanks, I am aware of this. The package will include replacement static > suid binaries. As pointed out later in the discussion, there are also scarey thoughts of non-suid binaries becoming vulnerable by being run by root at some stage. I have no pretensions of completely understanding all of the interrelationships amongst cc, libc and the generated programs, (learning fast, mind you), so I'd like to concentrate my efforts to the Project on a more cosmetic level. At the basic level, to fix the crt0() problem in 2.1.x, one needs to rebuild libc with a new crt0(), and rebuild all statically linked binaries. It has been suggested that a 'make world' is needed, replacing all binaries, just in case. If I'm going to make security update packages for 2.1.0 and 2.1.5/6, I'd like some comments on what needs to be included. Danny