From owner-freebsd-security  Thu Sep  7 14:27:14 2000
Delivered-To: freebsd-security@freebsd.org
Received: from xerxes.courtesan.com (64-6-178-150.den1.phoenixdsl.net [64.6.178.150])
	by hub.freebsd.org (Postfix) with ESMTP
	id 97E3B37B422; Thu,  7 Sep 2000 14:27:11 -0700 (PDT)
Received: from xerxes.courtesan.com (millert@localhost)
	by xerxes.courtesan.com (8.10.1/8.10.1) with ESMTP id e87LQuE12710;
	Thu, 7 Sep 2000 15:26:57 -0600 (MDT)
Message-Id: <200009072126.e87LQuE12710@xerxes.courtesan.com>
To: Kris Kennaway <kris@FreeBSD.org>
Cc: Warner Losh <imp@village.org>,
	"Vladimir Mencl, MK,     susSED" <mencl@nenya.ms.mff.cuni.cz>,
	freebsd-security@FreeBSD.org, security-officer@FreeBSD.org,
	millert@openbsd.org
Subject: Re: UNIX locale format string vulnerability (fwd) 
In-reply-to: Your message of "Thu, 07 Sep 2000 14:19:06 PDT."
             <Pine.BSF.4.21.0009071356030.8316-100000@freefall.freebsd.org> 
References: <Pine.BSF.4.21.0009071356030.8316-100000@freefall.freebsd.org> 
Date: Thu, 07 Sep 2000 15:26:56 -0600
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <Pine.BSF.4.21.0009071356030.8316-100000@freefall.freebsd.org>
	so spake Kris Kennaway (kris):

> Again, the problem here is with sudo, not with something that comes in
> FreeBSD.

How is this a sudo problem?  Do you expect sudo to strip away the NLS
env vars for you?  This would not be unprecedented, as sudo already
strips out LD_* and friends but breaking locales seems a bit dodgy.

As I haven't seen the entire thread I'm clearly missing some info...

 - todd


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message