Date: Mon, 3 Feb 1997 05:37:28 -0600 (CST) From: "Thomas H. Ptacek" <tqbf@enteract.com> To: dg@root.com Cc: tqbf@enteract.com, torbjorn@norway.eu.net, freebsd-security@FreeBSD.ORG Subject: Re: Critical Security Problem in 4.4BSD crt0 Message-ID: <199702031138.FAA21844@enteract.com> In-Reply-To: <199702031131.DAA10128@root.com> from "David Greenman" at Feb 3, 97 03:31:29 am
next in thread | previous in thread | raw e-mail | index | archive | help
> For the record, the setlocale call from crt0 was removed after a debate > about its architectural [in]correctness and had nothing to do with any I figured as such. =) > security hole. I'm not aware of any security related fixes to > startup_setrunelocale() in any version of FreeBSD, nor have I seen or The new locale routines attempt bounds checking and check for mismatched e/uids to stave off locale vulnerabilities in SUID programs (probably based on the idea that users shouldn't have that much control over the internal operations of an SUID program). > locale code. It sounds like you're suggesting that there was some sort of > coverup, and that simply isn't true. I'm sorry, that wasn't what I was trying to imply. I would see no reason for the FreeBSD team to cover up security problems. I do have a general problem with a lack of announcement from the FreeBSD team about problems (as they're found), but I certainly wouldn't want to suggest that you're in any way sitting on this problem. I'm sure that, given the severity of this problem, I'll be seeing an official announcement about this problem from the FreeBSD folks very soon. Thanks for clarifying. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702031138.FAA21844>