From owner-freebsd-security Wed Feb 5 11:08:37 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id LAA02509 for security-outgoing; Wed, 5 Feb 1997 11:08:37 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA02490 for ; Wed, 5 Feb 1997 11:08:19 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id NAA15847; Wed, 5 Feb 1997 13:07:58 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702051907.NAA15847@enteract.com> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: eivind@dimaga.com (Eivind Eklund) Date: Wed, 5 Feb 1997 13:07:14 -0600 (CST) Cc: freebsd-security@freebsd.org Reply-To: tqbf@enteract.com In-Reply-To: <3.0.32.19970205195349.009f08d0@dimaga.com> from "Eivind Eklund" at Feb 5, 97 07:53:50 pm X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > I checked _everything_ for calls to locale. The only significant items are > the ones I mentioned. The only one that is setuid() as default (or likely > to be set setuid) is crontab. Yeah, I checked FreeBSD 2.2 with the assumption that 2.1 programs wouldn't bother with redundant locale calls. There are many SGID kmem binaries in 2.2 that are vulnerable - this is equally as bad as a root comprimise. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking."