From owner-freebsd-security Wed Feb 5 13:34:33 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA13483 for security-outgoing; Wed, 5 Feb 1997 13:34:33 -0800 (PST) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA13473 for ; Wed, 5 Feb 1997 13:34:22 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.6/8.6.5) with SMTP id NAA11176; Wed, 5 Feb 1997 13:34:18 -0800 (PST) Message-Id: <199702052134.NAA11176@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: tqbf@enteract.com cc: karl@mcs.net, freebsd-security@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE In-reply-to: Your message of "05 Feb 1997 19:03:33 GMT." <19970205190333.11804.qmail@char-star.rdist.org> From: David Greenman Reply-To: dg@root.com Date: Wed, 05 Feb 1997 13:34:18 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >>Note that Tom Ptaeck WILL be releasing *EXPLOITS AND DETAILS* within one >>week. Either this gets fixed or the world knows how to break in. > >I'm not concerned about the "fix" for the problem in question, since >they're already out there (just remove locale processing altogether). I'm >concerned that the FreeBSD project is not going to inform their users of >this problem. This is, in my opinion, probably the most severe problem >with FreeBSD that has been brought to public attention. > >An advisory for this problem needs to be released immediately. The FreeBSD >project needs to come to grips with the fact that there are many, many >people who won't act on a problem until CERT releases an advisory. Until >that happens, people will remain vulnerable to the problem, regardless of >how much effort goes into finding "the right fix". > >I'll repeat myself, again: everyone that you should be worried about >having exploit details to this problem ALREADY DOES. People are being >broken into with this as we speak. There's a vast amount of 2.1 systems >out there, and those 2.1 systems are on networks with other systems, and >their vulnerabilites are going to seed the comprimise of entire networks. > >This is not good. > >Please, please, please alert the public (and the incident response teams) >about this problem. The problem is fixed in all of our source branches by removing the support for PATH_LOCALE. It was there only as a debugging aid in the first place. An announcement including a proper patch for the problem is being worked on. It's taken much longer to put together an accurate announcement because of uncertainties about just exactly which versions are effected and just exactly how. It's not as simple as you might first think and we don't won't to provide dis-information to the public about this problem. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project