From owner-freebsd-security Mon Feb 3 02:14:10 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id CAA20332 for security-outgoing; Mon, 3 Feb 1997 02:14:10 -0800 (PST) Received: from stop.no (gw.eunet.no [195.0.195.195]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id CAA20317 for ; Mon, 3 Feb 1997 02:14:04 -0800 (PST) Received: from kirov.eunet.no ([193.71.2.3]) by full.stop.no with ESMTP id <21773>; Mon, 3 Feb 1997 12:43:03 +0000 Received: from kirov.eunet.no (localhost [127.0.0.1]) by kirov.eunet.no (8.8.2/8.8.2/Torbjorn) with ESMTP id LAA27365; Mon, 3 Feb 1997 11:13:52 +0100 (MET) Message-Id: <199702031013.LAA27365@kirov.eunet.no> To: tqbf@enteract.com cc: freebsd-security@freebsd.org Subject: Re: Critical Security Problem in 4.4BSD crt0 In-reply-to: Your message of "Mon, 03 Feb 1997 03:42:33 CST." <199702030943.DAA18201@enteract.com> Date: Mon, 3 Feb 1997 10:13:51 +0000 From: Torbjorn Ose Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199702030943.DAA18201@enteract.com>, "Thomas H. Ptacek" writes: > > This was also fixed in 2.1.6 and there was much talk about this ages ago > > when it was first discovered. This was last year sometime. I also recall > > reading an advisory from FreeBSD about this. ok, I could be wrong about 2.1.6. Here's the first message I can find that mentions the problem (from Best of Security). It's from August 1996 so the problem has been well known for a long time. It seems all other messages I have on this bug are personal mails that I cannot quote from without permission. From: Julian Assange Date: Thu, 15 Aug 1996 09:28:05 +1000 To: best-of-security@suburbia.net Subject: BoS: Wide spread resolv+ bugs Resent-Date: Thu, 15 Aug 1996 09:28:19 +1000 X-Mailer: ELM [version 2.4 PL23] Content-Type: text Resent-Message-Id: <"vYeOh1.0.0C5.94c4o"@suburbia> Resent-From: best-of-security@suburbia.net X-Mailing-List: archive/latest/219 X-Loop: best-of-security@suburbia.net Precedence: list Resent-Sender: best-of-security-request@suburbia.net Alan Cox intimated on bugtraq that he has found some bugs in resolv+. The bugs have been about for years and concern the passing of enviromental variables to resolv+ code (which is normally called by ping, rlogin, rsh, ssh etc). Since it looks like the cat is about to leap from the bag, I think I had better explain. Resolv+ is a library, often incorporated with libc, but sometimes stand alone (e.g -lresolv). It contains gethostbyname()/gethostbyaddr() as well as other dns functions. As an example of wonders of resolv+: $ export RESOLV_HOST_CONF=/etc/shadow $ rlogin thepopeneverlikedbadgersanywaymate Linux is prone to this. Solaris/Sunos does not appear to be. FreeBSD is not. But thats ok, they make up for it with NLS/Locale, which is a far, far bigger problem. -- "Of all tyrannies a tyranny sincerely exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies, The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for own good will torment us without end, for they do so with the approval of their own conscience." - C.S. Lewis, _God in the Dock_ +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff@suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff@gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+ Torbjorn