From owner-freebsd-security Mon Feb 3 03:38:28 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id DAA24289 for security-outgoing; Mon, 3 Feb 1997 03:38:28 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id DAA24284 for ; Mon, 3 Feb 1997 03:38:26 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id FAA21844; Mon, 3 Feb 1997 05:38:09 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702031138.FAA21844@enteract.com> Subject: Re: Critical Security Problem in 4.4BSD crt0 To: dg@root.com Date: Mon, 3 Feb 1997 05:37:28 -0600 (CST) Cc: tqbf@enteract.com, torbjorn@norway.eu.net, freebsd-security@FreeBSD.ORG Reply-To: tqbf@enteract.com In-Reply-To: <199702031131.DAA10128@root.com> from "David Greenman" at Feb 3, 97 03:31:29 am X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > For the record, the setlocale call from crt0 was removed after a debate > about its architectural [in]correctness and had nothing to do with any I figured as such. =) > security hole. I'm not aware of any security related fixes to > startup_setrunelocale() in any version of FreeBSD, nor have I seen or The new locale routines attempt bounds checking and check for mismatched e/uids to stave off locale vulnerabilities in SUID programs (probably based on the idea that users shouldn't have that much control over the internal operations of an SUID program). > locale code. It sounds like you're suggesting that there was some sort of > coverup, and that simply isn't true. I'm sorry, that wasn't what I was trying to imply. I would see no reason for the FreeBSD team to cover up security problems. I do have a general problem with a lack of announcement from the FreeBSD team about problems (as they're found), but I certainly wouldn't want to suggest that you're in any way sitting on this problem. I'm sure that, given the severity of this problem, I'll be seeing an official announcement about this problem from the FreeBSD folks very soon. Thanks for clarifying. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking."