From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 18:29:16 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 14EFD1065676 for ; Thu, 3 Dec 2009 18:29:16 +0000 (UTC) (envelope-from jamie@bishopston.net) Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net [IPv6:2001:5c0:1100:200::3]) by mx1.freebsd.org (Postfix) with ESMTP id 9CCE38FC15 for ; Thu, 3 Dec 2009 18:29:15 +0000 (UTC) X-Catflap-Envelope-From: X-Catflap-Envelope-To: freebsd-security@freebsd.org Received: from catflap.bishopston.net (smmsp@localhost [127.0.0.1]) by catflap.bishopston.net (8.14.3/8.14.3) with ESMTP id nB3ITEBa015364; Thu, 3 Dec 2009 18:29:14 GMT (envelope-from jamie@catflap.bishopston.net) Received: (from root@localhost) by catflap.bishopston.net (8.14.3/8.12.9/Submit) id nB3ITEiX015363; Thu, 3 Dec 2009 18:29:14 GMT From: Jamie Landeg Jones Message-Id: <200912031829.nB3ITEiX015363@catflap.bishopston.net> Date: Thu, 03 Dec 2009 18:29:14 +0000 Organization: http://www.bishopston.com/jamie/ To: timo.schoeler@riscworks.net, freebsd-security@freebsd.org References: <200912030930.nB39UhW9038238@freefall.freebsd.org> <4B179B90.10307@netfence.it> <200912031455.nB3EtriT031315@catflap.bishopston.net> <4B17D39B.5030204@riscworks.net> In-Reply-To: <4B17D39B.5030204@riscworks.net> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.2 (catflap.bishopston.net [127.0.0.1]); Thu, 03 Dec 2009 18:29:14 +0000 (GMT) X-Virus-Scanned: clamav-milter 0.95.2 at catflap.bishopston.net X-Virus-Status: Clean Cc: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 18:29:16 -0000 > So, what would be 'best of practice' to apply the patch to 6.3-RELEASE > upwards -- is the FreeBSD-7 patch applicable or should one wait for an > official announcement? I just noticed that the patch I replied with is basically the same as the Freebsd-7 patch that was posted. However, as has already been discussed, 6.X isn't exploitable by the posted bug, because the changes to the env functions that allow the exploit to work didn't happen until 7.X However, I would certainly apply the patch anyway - basically, the old way was just blindly unsetting environment variables and blindly assuming the unsetting worked. The new way does exactly the same unsetting, but if any of the unsets fails (due to corrupt environment) it aborts. Just in case there is some other way of exploiting the fact that rtld.c didn't check whether unsetenv was successful (which I bet people are now looking for) I'd apply the patch to 6.3 and 6.4 also, just to be sure. Cheers, Jamie