Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 3 Feb 1997 05:37:28 -0600 (CST)
From:      "Thomas H. Ptacek" <tqbf@enteract.com>
To:        dg@root.com
Cc:        tqbf@enteract.com, torbjorn@norway.eu.net, freebsd-security@FreeBSD.ORG
Subject:   Re: Critical Security Problem in 4.4BSD crt0
Message-ID:  <199702031138.FAA21844@enteract.com>
In-Reply-To: <199702031131.DAA10128@root.com> from "David Greenman" at Feb 3, 97 03:31:29 am

next in thread | previous in thread | raw e-mail | index | archive | help
>    For the record, the setlocale call from crt0 was removed after a debate
> about its architectural [in]correctness and had nothing to do with any

I figured as such. =)

> security hole. I'm not aware of any security related fixes to
> startup_setrunelocale() in any version of FreeBSD, nor have I seen or

The new locale routines attempt bounds checking and check for mismatched
e/uids to stave off locale vulnerabilities in SUID programs (probably
based on the idea that users shouldn't have that much control over the
internal operations of an SUID program).

> locale code. It sounds like you're suggesting that there was some sort of
> coverup, and that simply isn't true.

I'm sorry, that wasn't what I was trying to imply. I would see no reason
for the FreeBSD team to cover up security problems. I do have a general
problem with a lack of announcement from the FreeBSD team about problems
(as they're found), but I certainly wouldn't want to suggest that you're
in any way sitting on this problem. 

I'm sure that, given the severity of this problem, I'll be seeing an
official announcement about this problem from the FreeBSD folks very soon.

Thanks for clarifying.

----------------
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com]
----------------
"I'm standing alone, I'm watching you all, I'm seeing you sinking."




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702031138.FAA21844>