From owner-freebsd-security Thu Sep 7 15:26:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 7AEC637B423; Thu, 7 Sep 2000 15:26:23 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id PAA24626; Thu, 7 Sep 2000 15:26:23 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 7 Sep 2000 15:26:23 -0700 (PDT) From: Kris Kennaway To: Warner Losh Cc: "Todd C. Miller" , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.org, security-officer@FreeBSD.org, millert@openbsd.org Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <200009072144.PAA06367@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 7 Sep 2000, Warner Losh wrote: > In message Kris Kennaway writes: > : Now, I haven't fully explored to what extent this is possible on FreeBSD - > : I believe the first one is a problem if sudo is used on third party > : applications, but I'm not sure if the second one is, i.e. whether we > : disallow use of '/' in the appropriate locale variables. > > We already disallow this. You can't set your lang to be > ../../../../../../etc/master.password, for example. If the LANG > variable has / in it, it is ignored. I think that the only one that > needs this restriction. I think all of the following can be pointed to arbitrary files as well in setlocale(): "LC_ALL", "LC_COLLATE", "LC_CTYPE", "LC_MONETARY", "LC_NUMERIC", "LC_TIME", "LC_MESSAGES", "LANG" Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message