Date: Fri, 27 Aug 1999 13:35:51 +1000 From: Bruce Evans <bde@zeta.org.au> To: hart@iserver.com, imp@village.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD (and other BSDs?) local root explot] Message-ID: <199908270335.NAA19831@godzilla.zeta.org.au>
next in thread | raw e-mail | index | archive | help
>: Has anyone investigated patches to the fts(3) functions in libc? We've >: seen kernel patches (to stop following symbolic links when dumping core?) >: but it would be nice to fix the fts(3) bugs as well that started all of >: this. > >Bruce has done that. He's trying to get them to the point he's happy I checked my backups and found that I fixed it on May 6 (a week before the first BUGTRAQ mail about it that I know of). Requests for reviews were not responded to :-(. >with them and track down all the implied POSIX issues that might >result from changing fts. I will admit that I've been slow in the Actually, all the C portability and programming issues. fts does bad things like pointer arithmetic with pointers to storage that may have been invalidated by realloc(). >This exploit pointed out several bugs. periodic shouldn't allow its I wanted a review because I'm not a security person and didn't want to guess the extent of the bug. >children to dump core (since you don't want new core files in your >dump every day), core dumps *MUST*NOT* follow symbolic links (which >they didn't do in 2.x, but there was some back sliding in 3.x and 4.x >in this area), fts has an overflow which can cause problems in large, >wide trees. Had any one of these been different, the problem would >not have happened. There are also some downstream issues with many I think the pointer bug would just have been harder to exploit. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908270335.NAA19831>