From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 19:21:36 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 033E61065676 for ; Thu, 3 Dec 2009 19:21:36 +0000 (UTC) (envelope-from lynx.ripe@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 837878FC19 for ; Thu, 3 Dec 2009 19:21:35 +0000 (UTC) Received: by bwz5 with SMTP id 5so1391611bwz.3 for ; Thu, 03 Dec 2009 11:21:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:content-type :content-transfer-encoding; bh=6IA1bdzy2TFxNIDDBZz0X4ULb8R4lZm5uC5pSmRDii4=; b=MiqMgLmx3GE2oboTPr8FGim8acYI90ZQUl59ecUEsJFgCZ9IkjdRa6P5q9CpzSaC3a hTkmzM/KXoazYqy0we89mlO7BqbaqcBCopgV+1Ew/ODxsXXYb2maWzaAv04S9skYb8xz UCsdcGWWZC/M70lKeUW7vommYQyCXFCacn674= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :content-type:content-transfer-encoding; b=m1yQwsV2SYN7zksUPIE7KhJYWjd2/IjVRE/1Mix3bx+YUqyyCpYK2uIvrSiARiqybd GbkqYxy0PPsuPwDYJ/1zH0tcJZsD7GYU56r+k+PMV2YJ8BWqj3D/2e5gpZRO2FLf7/Mc CxzkgsqZp7MsTRkvVudC8JwK9o//ch1e8qkLM= Received: by 10.204.20.142 with SMTP id f14mr2113468bkb.64.1259866557324; Thu, 03 Dec 2009 10:55:57 -0800 (PST) Received: from lynx.homenet (130-129-132-95.pool.ukrtel.net [95.132.129.130]) by mx.google.com with ESMTPS id 14sm855956fxm.7.2009.12.03.10.55.56 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 03 Dec 2009 10:55:56 -0800 (PST) Message-ID: <4B1809BA.2050702@gmail.com> Date: Thu, 03 Dec 2009 20:55:54 +0200 From: Dmitry Pryanishnikov User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.23) Gecko/20090906 SeaMonkey/1.1.18 MIME-Version: 1.0 To: Jamie Landeg Jones Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 03 Dec 2009 20:18:42 +0000 Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 19:21:36 -0000 Hello! > The change that introduced the bug was made as follows: > > | Revision 1.124: download - view: text, markup, annotated - select for diffs > | Thu May 17 18:00:27 2007 UTC (2 years, 6 months ago) by csjp > | Branches: MAIN ... > This was also ported MFC'd into 6.3 onwards: ... > So, yes, FreeBSD 6.3-RELEASE upwards are affected - FreeBSD 6.2 isn't. Well, not exactly. This change introduces vulnerability _only_ if *env() implementation allows to create an environment, in which unsetenv(X) will fail but getenv(X) will still work. RELENG_6 luckily uses old, legacy, but _consistent_ *env() implementation which just uses the same variable search routine __findenv() both in getenv() and unsetenv(). So IMHO the advisory is correct, and there is no need to patch 6.*. Sincerely, Dmitry -- nic-hdl: LYNX-RIPE