From owner-freebsd-security Mon Feb 3 02:26:47 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id CAA21429 for security-outgoing; Mon, 3 Feb 1997 02:26:47 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id CAA21417 for ; Mon, 3 Feb 1997 02:26:42 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id EAA19567; Mon, 3 Feb 1997 04:26:20 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702031026.EAA19567@enteract.com> Subject: Re: Critical Security Problem in 4.4BSD crt0 To: torbjorn@norway.eu.net (Torbjorn Ose) Date: Mon, 3 Feb 1997 04:25:39 -0600 (CST) Cc: freebsd-security@freebsd.org Reply-To: tqbf@enteract.com In-Reply-To: <199702031013.LAA27365@kirov.eunet.no> from "Torbjorn Ose" at Feb 3, 97 10:13:51 am X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > ok, I could be wrong about 2.1.6. Here's the first message I can find that You are. The problem is "fixed" in -current with patches to setlocale.c that check mismatched e/uid and do bounds checking on the string copies, but 2.2 doesn't do startup locale processing. 2.1.6 did not resolve this problem. > mentions the problem (from Best of Security). It's from August 1996 so the > problem has been well known for a long time. It seems all other messages I have Uh. locales have been a problem for a long, long time. They can be used to subvert quite a few programs. startup locale processing and a crt0 vulnerability have not been well known for a long time. I would hope that the FreeBSD team, upon becoming aware of a problem that rendered every privileged binary on their system vulnerable, would have released an official announcement about the problem. locale processing in general is an issue for many reasons, not the least (and not the only) of which is the fact that the routines aren't coded safely for SUID programs. Silently processing locale information in every program on the system out of start() is a different issue, though. I'm fairly certain that if Mr. Assange was aware (in August) of the crt0 vulnerability, he'd have notified someone (as opposed to leaving vague hints in unrelated messages). However, I obviously don't speak for him. > on this bug are personal mails that I cannot quote from without permission. If your information regarding this problem is not publically available, it's irrelevant to the purposes of my posts on bugtraq and comp.security.unix. I'll reiterate: 2.1.6 is vulnerable to this problem, and anyone with a 2.1.6 installation is vulnerable. The FreeBSD team has not made information regarding this problem available to the public, although they did silently fix it in -current. Thanks again for your input. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking."