From owner-freebsd-security Thu Sep 7 3:41:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id D3C6B37B422; Thu, 7 Sep 2000 03:41:13 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id DAA02056; Thu, 7 Sep 2000 03:41:13 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 7 Sep 2000 03:41:13 -0700 (PDT) From: Kris Kennaway To: "Vladimir Mencl, MK, susSED" Cc: Cy Schubert - ITSD Open Systems Group , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 7 Sep 2000, Vladimir Mencl, MK, susSED wrote: > However, I think that FreeBSD is vulnerable with the sudo port > installed. > > Although sudo discards some dangerous environment variables (LD_LIBRARY_PATH) > it does pass the LC_ALL, PATH_LOCALE variables through. > > Therefore, I belive, that any user allowed to use sudo to execute a > program with elevated privileges, can potentially exploit this > vulnerability. > > So, at least a port security advisory should be issued, and possibly the > sudo port patched to discard locale-specific environment variables. Thanks for the report. I'll look into it and issue a ports advisory if necessary (this seems to be a sudo problem, not a FreeBSD one - PATH_LOCALE is ignored if setugid, and at first glance LC_ALL is okay too, although I need to check that properly) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message