Date: Wed, 05 Feb 1997 19:08:10 +0100 From: Eivind Eklund <eivind@dimaga.com> To: tqbf@enteract.com Cc: freebsd-security@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE Message-ID: <3.0.32.19970205190809.009ec770@dimaga.com>
next in thread | raw e-mail | index | archive | help
At 05:43 PM 2/5/97 -0000, tqbf@enteract.com wrote: >In article <3.0.32.19970205173026.0093c150@dimaga.com>, you wrote: >>I was unable to find a call to any locale-function in 2.1.6 "at". > >That's because 2.1.x programs don't explicitly call setlocale() - they >rely on crt0 start() to do that for them. FreeBSD 2.2's at(1) explicitly >calls setlocale() from main(), before getopt. > >In 2.1.6, you're screwed until you fix crt0.c. In FreeBSD 2.2, prior to >December, you're screwed until you remove the setlocale() call from at(1) >or fix your locale routines. ... don't forget crontab, which will screw you (call setlocale) in 2.1.6 (and 2.2?), as setuid root. The other programs on the list I posted here earlier today call setlocale, but are not setuid, so they aren't _that_ dangerous. Eivind Eklund / perhaps@yes.no / http://maybe.yes.no/perhaps/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.32.19970205190809.009ec770>