Date: Thu, 07 Sep 2000 15:44:48 -0600 From: Warner Losh <imp@village.org> To: Kris Kennaway <kris@FreeBSD.org> Cc: "Todd C. Miller" <Todd.Miller@courtesan.com>, "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz>, freebsd-security@FreeBSD.org, security-officer@FreeBSD.org, millert@openbsd.org Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <200009072144.PAA06367@harmony.village.org> In-Reply-To: Your message of "Thu, 07 Sep 2000 14:39:30 PDT." <Pine.BSF.4.21.0009071433440.16052-100000@freefall.freebsd.org> References: <Pine.BSF.4.21.0009071433440.16052-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.BSF.4.21.0009071433440.16052-100000@freefall.freebsd.org> Kris Kennaway writes: : Now, I haven't fully explored to what extent this is possible on FreeBSD - : I believe the first one is a problem if sudo is used on third party : applications, but I'm not sure if the second one is, i.e. whether we : disallow use of '/' in the appropriate locale variables. We already disallow this. You can't set your lang to be ../../../../../../etc/master.password, for example. If the LANG variable has / in it, it is ignored. I think that the only one that needs this restriction. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009072144.PAA06367>