Date: Wed, 5 Feb 97 12:16:36 CST From: Joe Greco <jgreco@solaria.sol.net> To: karl@Mcs.Net (Karl Denninger) Cc: Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE Message-ID: <199702051816.MAA13357@solaria.sol.net> In-Reply-To: <199702051742.LAA05872@Jupiter.Mcs.Net> from "Karl Denninger" at Feb 5, 97 11:42:14 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > The locale stuff appears to have been removed from 2.2's crt0.c as well, > > I don't know anything more about what was done, but it seems to me that > > that suggests that it is not mandatory for use of the locale stuff. > > > > The comments suggested that it was an easy way to try to locale-ize > > the entire system. It should not, I would think, preclude the use of > > the locale code, but then again, I am only very mildly familiar with > > that stuff. > > NO NO NO NO! > > The ENTIRE setlocale() code is a HUGE security problem. Among other things, > any program which is SUID or SGID Kmem is INSTANTLY penetrable to provide > access to the resources which would otherwise be "protected". > > SETLOCALE MUST BE REMOVED FROM USE UNTIL IT CAN BE FIXED. It is FULL of > non-bounds-checked calls to string routines. > > I have already found setlocale() calls in SEVERAL privileged programs. > > Note that Tom Ptaeck WILL be releasing *EXPLOITS AND DETAILS* within one > week. Either this gets fixed or the world knows how to break in. KARL!!!! Shut the hell up already. The bull in a china shop routine is getting very fucking old. You are not being part of the solution, so you are being part of the problem. I have just as much at stake here as you do. I agree that there is a tank-sized hole. But what needs to happen is some strategizing, so that a _fix_ can be released. A _fix_ that addresses the concerns. That is still being discussed. There is complete buy-in and complete consensus, from everything I can tell, that something MUST be done, and something WILL be done. It appears to me that a cleanup "security" release (2.1.6.2, or 2.1.7, or whatever) WILL happen, quite possibly with a bunch of other fixes as well. Nobody wants that more than me. We are also looking at ways to distribute a "patch kit" for pre-2.1.6 releases. It's gonna get fixed, Karl. Now, if you REALLY want to help, drop the bulldog act, and sign up to do something USEFUL. I'm trying. You can too! An organization your size must have a C programmer or two, why not have them spend a day eliminating every single unchecked bounds string function call that they can? That is how things get DONE. You might even regain some credibility. But we need to make sure that the effort is coordinated. ... JG
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702051816.MAA13357>