Date: Wed, 5 Feb 1997 11:42:14 -0600 (CST) From: Karl Denninger <karl@Mcs.Net> To: jgreco@solaria.sol.net (Joe Greco) Cc: Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org, current@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE Message-ID: <199702051742.LAA05872@Jupiter.Mcs.Net> In-Reply-To: <199702051515.JAA11822@solaria.sol.net> from "Joe Greco" at Feb 5, 97 09:15:15 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > > With this, it would be MUCH simpler to release a "security binary kit" > > > upgrade to 2.1.X series systems. > > > > Before everyone starts singing `Halleluia', let me state first that > > this does not solve everything. At runs a setlocale() itsself, so > > it is still vulnerable. Further, It will not solve the problem for ppl > > that actually NEED the locale stuff.... > > The locale stuff appears to have been removed from 2.2's crt0.c as well, > I don't know anything more about what was done, but it seems to me that > that suggests that it is not mandatory for use of the locale stuff. > > The comments suggested that it was an easy way to try to locale-ize > the entire system. It should not, I would think, preclude the use of > the locale code, but then again, I am only very mildly familiar with > that stuff. > > ... Joe > > ------------------------------------------------------------------------------- > Joe Greco - Systems Administrator jgreco@ns.sol.net > Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 NO NO NO NO! The ENTIRE setlocale() code is a HUGE security problem. Among other things, any program which is SUID or SGID Kmem is INSTANTLY penetrable to provide access to the resources which would otherwise be "protected". SETLOCALE MUST BE REMOVED FROM USE UNTIL IT CAN BE FIXED. It is FULL of non-bounds-checked calls to string routines. I have already found setlocale() calls in SEVERAL privileged programs. Note that Tom Ptaeck WILL be releasing *EXPLOITS AND DETAILS* within one week. Either this gets fixed or the world knows how to break in. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702051742.LAA05872>