Date: Thu, 7 Sep 2000 15:36:59 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: =?iso-8859-1?Q?Iv=E1n?= Arce <core.lists.freebsd-security@core-sdi.com> Cc: freebsd-security@freebsd.org Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <Pine.BSF.4.21.0009071535520.25298-100000@freefall.freebsd.org> In-Reply-To: <39B81932.F5832679@core-sdi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8 Sep 2000, [iso-8859-1] Iván Arce wrote:
> No, the proper fix is to
> 1. Ensure that SUID programs dont follow user directives of where
> to take messages with catgets() from. (This is done on
> FreeBSD base system)
>
> AND
>
> 2. to ensure that unchecked user suplied data is not passed
> to printf() functions as the fmt argument.
>
> If instead of doing printf(catgets("foo")) you
> do printf("%s",catgets("foo")) the problem does not appear.
We're actually talking about something different here. It's only
indirectly related to setuid programs and format strings - the real issue
is sudo filtering the environment of the program it runs with privileges
on behalf of the user.
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009071535520.25298-100000>