From owner-freebsd-security Wed Feb 5 08:34:45 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA12872 for security-outgoing; Wed, 5 Feb 1997 08:34:45 -0800 (PST) Received: from nic.follonett.no (nic.follonett.no [194.198.43.10]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA11831; Wed, 5 Feb 1997 08:33:17 -0800 (PST) Received: (from uucp@localhost) by nic.follonett.no (8.8.5/8.8.3) with UUCP id RAA00795; Wed, 5 Feb 1997 17:27:44 +0100 (MET) Received: from oo7 (oo7.dimaga.com [192.0.0.65]) by dimaga.com (8.7.5/8.7.2) with SMTP id RAA14881; Wed, 5 Feb 1997 17:30:27 +0100 (MET) Message-Id: <3.0.32.19970205173026.0093c150@dimaga.com> X-Sender: eivind@dimaga.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 05 Feb 1997 17:30:28 +0100 To: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij) From: Eivind Eklund Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE Cc: jgreco@solaria.sol.net (Joe Greco), Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk At 04:01 PM 2/5/97 +0100, Guido van Rooij wrote: >Joe Greco wrote: [on binary patching of 2.1.6 binaries] >> With this, it would be MUCH simpler to release a "security binary kit" >> upgrade to 2.1.X series systems. > >Before everyone starts singing `Halleluia', let me state first that >this does not solve everything. At runs a setlocale() itsself, I was unable to find a call to any locale-function in 2.1.6 "at". However, can anybody can say crontab? I knew you could. Other programs that might want a patch are csh, expr, diff, tr and cc - all of them might be run as root from a script and get passed locale. >so it is still vulnerable. Further, It will not solve the problem for ppl >that actually NEED the locale stuff.... Who needs locales? Is there _anybody_ that use them? I don't know of anybody that use them on UNIX, and nobody that would say they need them on any platform. Eivind Eklund / perhaps@yes.no / http://maybe.yes.no/perhaps/