Date: Wed, 5 Feb 1997 21:21:39 +0100 (MET) From: Guido van Rooij <guido@gvr.win.tue.nl> To: tqbf@enteract.com Cc: karl@Mcs.Net, freebsd-security@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE Message-ID: <199702052021.VAA17555@gvr.win.tue.nl> In-Reply-To: <19970205190333.11804.qmail@char-star.rdist.org> from "tqbf@enteract.com" at "Feb 5, 97 07:03:33 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> > An advisory for this problem needs to be released immediately. The FreeBSD > project needs to come to grips with the fact that there are many, many > people who won't act on a problem until CERT releases an advisory. Until > that happens, people will remain vulnerable to the problem, regardless of > how much effort goes into finding "the right fix". > I only want to make an advisory when we can adise something. At this time there is still uncertainty about what to do. I think the following should do the trick: 1) patch for crt0.c including something where the env. variable will e ignored for SUID/SGID programs. This should solve the case where ppl. want to rebuilt everything 2) For a binary only fix: a) new shared libc's for every release since 2.0 b) the lfix program that patches out the call to startup_setlocale in the binary; this for every release and including checks for immutable and append only flags. And of course a README that wll not leave any doubt on the exact actions to take. That should do the trick. Please correct me if I forgot anything. -Guido
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702052021.VAA17555>