From owner-freebsd-security Wed Feb 5 12:22:29 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA08878 for security-outgoing; Wed, 5 Feb 1997 12:22:29 -0800 (PST) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA08864 for ; Wed, 5 Feb 1997 12:22:19 -0800 (PST) Received: (from guido@localhost) by gvr.win.tue.nl (8.8.5/8.8.2) id VAA17555; Wed, 5 Feb 1997 21:21:39 +0100 (MET) From: Guido van Rooij Message-Id: <199702052021.VAA17555@gvr.win.tue.nl> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE In-Reply-To: <19970205190333.11804.qmail@char-star.rdist.org> from "tqbf@enteract.com" at "Feb 5, 97 07:03:33 pm" To: tqbf@enteract.com Date: Wed, 5 Feb 1997 21:21:39 +0100 (MET) Cc: karl@Mcs.Net, freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > An advisory for this problem needs to be released immediately. The FreeBSD > project needs to come to grips with the fact that there are many, many > people who won't act on a problem until CERT releases an advisory. Until > that happens, people will remain vulnerable to the problem, regardless of > how much effort goes into finding "the right fix". > I only want to make an advisory when we can adise something. At this time there is still uncertainty about what to do. I think the following should do the trick: 1) patch for crt0.c including something where the env. variable will e ignored for SUID/SGID programs. This should solve the case where ppl. want to rebuilt everything 2) For a binary only fix: a) new shared libc's for every release since 2.0 b) the lfix program that patches out the call to startup_setlocale in the binary; this for every release and including checks for immutable and append only flags. And of course a README that wll not leave any doubt on the exact actions to take. That should do the trick. Please correct me if I forgot anything. -Guido