Date: Wed, 5 Feb 1997 16:01:18 +0100 (MET) From: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij) To: jgreco@solaria.sol.net (Joe Greco) Cc: Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE Message-ID: <199702051501.QAA01260@bsd.lss.cp.philips.com> In-Reply-To: <199702051447.IAA11557@solaria.sol.net> from Joe Greco at "Feb 5, 97 08:47:11 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Joe Greco wrote: > > > > Yiou can use the lfix program to do so. It was posted by a Russian guy, > > who's name I forgot. I added a fix so it can actually do the complete > > filesystem in one sweep. Basically it patches the binary to replace > > the above call by nop's. > > PERFECT!!! We have a solution :-) (this was the most worrisome security > hole, the smaller ones like talkd could be "patched" much more easily). > > But could you be a little more vague, please? Where do I get it from? :-) > > I don't see it on Freefall... a DejaNews search doesn't turn anything up... > Ah. I see it on the security list archive. > > Jordan: once we have it tested, can we get this posted somewhere and make > big blinking neon signs that PEOPLE NEED TO RUN THIS? I'm gonna compile > it up and try it shortly. > > With this, it would be MUCH simpler to release a "security binary kit" > upgrade to 2.1.X series systems. Before everyone starts singing `Halleluia', let me state first that this does not solve everything. At runs a setlocale() itsself, so it is still vulnerable. Further, It will not solve the problem for ppl that actually NEED the locale stuff.... -Guido
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702051501.QAA01260>