From owner-freebsd-security Wed Feb 5 10:17:48 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id KAA19076 for security-outgoing; Wed, 5 Feb 1997 10:17:48 -0800 (PST) Received: from smyrno.sol.net (smyrno.sol.net [206.55.64.117]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA18247; Wed, 5 Feb 1997 10:16:43 -0800 (PST) Received: from solaria.sol.net (solaria.sol.net [206.55.65.75]) by smyrno.sol.net (8.8.3/8.8.3) with SMTP id MAA27464; Wed, 5 Feb 1997 12:16:41 -0600 (CST) Received: from localhost by solaria.sol.net (8.5/8.5) id MAA13357; Wed, 5 Feb 1997 12:16:38 -0600 From: Joe Greco Message-Id: <199702051816.MAA13357@solaria.sol.net> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: karl@Mcs.Net (Karl Denninger) Date: Wed, 5 Feb 97 12:16:36 CST Cc: Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org In-Reply-To: <199702051742.LAA05872@Jupiter.Mcs.Net> from "Karl Denninger" at Feb 5, 97 11:42:14 am X-Mailer: ELM [version 2.4dev PL65] MIME-Version: 1.0 Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > The locale stuff appears to have been removed from 2.2's crt0.c as well, > > I don't know anything more about what was done, but it seems to me that > > that suggests that it is not mandatory for use of the locale stuff. > > > > The comments suggested that it was an easy way to try to locale-ize > > the entire system. It should not, I would think, preclude the use of > > the locale code, but then again, I am only very mildly familiar with > > that stuff. > > NO NO NO NO! > > The ENTIRE setlocale() code is a HUGE security problem. Among other things, > any program which is SUID or SGID Kmem is INSTANTLY penetrable to provide > access to the resources which would otherwise be "protected". > > SETLOCALE MUST BE REMOVED FROM USE UNTIL IT CAN BE FIXED. It is FULL of > non-bounds-checked calls to string routines. > > I have already found setlocale() calls in SEVERAL privileged programs. > > Note that Tom Ptaeck WILL be releasing *EXPLOITS AND DETAILS* within one > week. Either this gets fixed or the world knows how to break in. KARL!!!! Shut the hell up already. The bull in a china shop routine is getting very fucking old. You are not being part of the solution, so you are being part of the problem. I have just as much at stake here as you do. I agree that there is a tank-sized hole. But what needs to happen is some strategizing, so that a _fix_ can be released. A _fix_ that addresses the concerns. That is still being discussed. There is complete buy-in and complete consensus, from everything I can tell, that something MUST be done, and something WILL be done. It appears to me that a cleanup "security" release (2.1.6.2, or 2.1.7, or whatever) WILL happen, quite possibly with a bunch of other fixes as well. Nobody wants that more than me. We are also looking at ways to distribute a "patch kit" for pre-2.1.6 releases. It's gonna get fixed, Karl. Now, if you REALLY want to help, drop the bulldog act, and sign up to do something USEFUL. I'm trying. You can too! An organization your size must have a C programmer or two, why not have them spend a day eliminating every single unchecked bounds string function call that they can? That is how things get DONE. You might even regain some credibility. But we need to make sure that the effort is coordinated. ... JG