Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 27 Aug 1999 13:35:51 +1000
From:      Bruce Evans <bde@zeta.org.au>
To:        hart@iserver.com, imp@village.org
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: FreeBSD (and other BSDs?) local root explot]
Message-ID:  <199908270335.NAA19831@godzilla.zeta.org.au>

next in thread | raw e-mail | index | archive | help
>: Has anyone investigated patches to the fts(3) functions in libc?  We've
>: seen kernel patches (to stop following symbolic links when dumping core?) 
>: but it would be nice to fix the fts(3) bugs as well that started all of
>: this. 
>
>Bruce has done that.  He's trying to get them to the point he's happy

I checked my backups and found that I fixed it on May 6 (a week before
the first BUGTRAQ mail about it that I know of).  Requests for reviews
were not responded to :-(.

>with them and track down all the implied POSIX issues that might
>result from changing fts.  I will admit that I've been slow in the

Actually, all the C portability and programming issues.  fts does
bad things like pointer arithmetic with pointers to storage that
may have been invalidated by realloc().

>This exploit pointed out several bugs.  periodic shouldn't allow its

I wanted a review because I'm not a security person and didn't want
to guess the extent of the bug.

>children to dump core (since you don't want new core files in your
>dump every day), core dumps *MUST*NOT* follow symbolic links (which
>they didn't do in 2.x, but there was some back sliding in 3.x and 4.x
>in this area), fts has an overflow which can cause problems in large,
>wide trees.  Had any one of these been different, the problem would
>not have happened.  There are also some downstream issues with many

I think the pointer bug would just have been harder to exploit.

Bruce


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908270335.NAA19831>