Date: Fri, 4 Dec 2009 19:07:28 +0100 From: Nikolaos Rangos <nikolaos.rangos@googlemail.com> To: FreeBSD-security@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld Message-ID: <12373a410912041007u3a1f810eu63e7081fdde56a17@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello all, First of all this was a real quick patch time for the rtld bug. Nevertheless I have to say some things about the patch. In my eyes the first quickpatch sent out in the first place when the exploit was posted on bugtraq did for sure fix the bug that let one slip through rtld and become root. I don't think the final patch did patch the root cause though, I know it's up to the FreeBSD Team to give out advisories and patch bugs. I just give my opinion on the bug here. unsetenv FAILS to unset the environment variable, so why is this? Because of the bug that let corrupt the environment. So in my opinion it is not sufficient to patch a code line in one place and leave other instances, where this bug may happen, open to the bug. Env calls are used widely. I did some more auditing and found out that putenv and setenv also FAILS on setting environment variables when the environ array variable is modified directly to corrupt the environment. So it would be possible to set an environment variable which in this case is not UNSETABLE or SETABLE (unsetenv and putenv/setenv respectively), in my eyes this is a bad behaviour of the enviroment handling routines introduced recently in FreeBSD. So the bug is not only in not checking the return values, but also in the code that lets one refuse to set or unset envvars. I do my best to understand it correctly but may be wrong on this. I would be glad to see this fixed soon if not happend to this day, but as I said it's up to the FreeBSD Team that did a great job here. Regards, Nikolaos Rangos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?12373a410912041007u3a1f810eu63e7081fdde56a17>