From owner-freebsd-security  Mon Feb  3 03:32:55 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id DAA24048
          for security-outgoing; Mon, 3 Feb 1997 03:32:55 -0800 (PST)
Received: from root.com (implode.root.com [198.145.90.17])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id DAA24043
          for <freebsd-security@FreeBSD.ORG>; Mon, 3 Feb 1997 03:32:49 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.6/8.6.5) with SMTP id DAA10128; Mon, 3 Feb 1997 03:31:29 -0800 (PST)
Message-Id: <199702031131.DAA10128@root.com>
X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol
To: tqbf@enteract.com
cc: torbjorn@norway.eu.net (Torbjorn Ose), freebsd-security@FreeBSD.ORG
Subject: Re: Critical Security Problem in 4.4BSD crt0 
In-reply-to: Your message of "Mon, 03 Feb 1997 04:25:39 CST."
             <199702031026.EAA19567@enteract.com> 
From: David Greenman <dg@root.com>
Reply-To: dg@root.com
Date: Mon, 03 Feb 1997 03:31:29 -0800
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

>> ok, I could be wrong about 2.1.6. Here's the first message I can find that
>
>You are. The problem is "fixed" in -current with patches to setlocale.c
>that check mismatched e/uid and do bounds checking on the string copies,
>but 2.2 doesn't do startup locale processing. 2.1.6 did not resolve this
>problem. 
...
>and anyone with a 2.1.6 installation is vulnerable. The FreeBSD team has
>not made information regarding this problem available to the public,
>although they did silently fix it in -current.

   For the record, the setlocale call from crt0 was removed after a debate
about its architectural [in]correctness and had nothing to do with any
security hole. I'm not aware of any security related fixes to
startup_setrunelocale() in any version of FreeBSD, nor have I seen or
heard (until your report) about any security related problems in any of the
locale code. It sounds like you're suggesting that there was some sort of
coverup, and that simply isn't true.
   Anyway, thank you for finding the problem. It's certainly not the only
security hole in past versions of FreeBSD, but with bug reports like yours
and others, we hope to make FreeBSD more secure in the future.

-DG

David Greenman
Core-team/Principal Architect, The FreeBSD Project