From owner-freebsd-security@FreeBSD.ORG Fri Dec 4 18:31:30 2009 Return-Path: Delivered-To: FreeBSD-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C6242106566B for ; Fri, 4 Dec 2009 18:31:30 +0000 (UTC) (envelope-from nikolaos.rangos@googlemail.com) Received: from mail-fx0-f209.google.com (mail-fx0-f209.google.com [209.85.220.209]) by mx1.freebsd.org (Postfix) with ESMTP id 5EEA88FC1D for ; Fri, 4 Dec 2009 18:31:30 +0000 (UTC) Received: by fxm2 with SMTP id 2so428334fxm.13 for ; Fri, 04 Dec 2009 10:31:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=jTCHsHVwcILMorD2BhNlaEiffKGbZZKPlw02HPjW6lM=; b=nrxNC8AJuD7XiMPo+xqWjI/4DKgFJZ9WV563GK7wXuOHVZ4lU3I5jA+zorGg2rLQ5a UiFhlGhuGzzdEuVSinX/LSHOwExQU0zaa0oLEzfS033e8JGCR0L80xbEGbA+gVMTEGtA TUetYCnE9bFVFHZGJT4z89adZGRNBjSRn+T3o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=MjX90gfUfyJ34JMquSRsBRsoLFx6pjVWqNz91BRmJkOXx8cj+tFU6b1dSQ0LKL6e46 WVP8VDDkB5H5q9LW3OwKHD21j9Qgde8mmc6wU+CriFj7adKgJN3mqk5H7tpc5eosIJWg SuCsnV1IhEpCLHuqmQiiufOMqicM9rZCBlHZE= MIME-Version: 1.0 Received: by 10.102.237.29 with SMTP id k29mr342111muh.67.1259950048975; Fri, 04 Dec 2009 10:07:28 -0800 (PST) Date: Fri, 4 Dec 2009 19:07:28 +0100 Message-ID: <12373a410912041007u3a1f810eu63e7081fdde56a17@mail.gmail.com> From: Nikolaos Rangos To: FreeBSD-security@FreeBSD.org X-Mailman-Approved-At: Fri, 04 Dec 2009 18:46:04 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2009 18:31:30 -0000 Hello all, First of all this was a real quick patch time for the rtld bug. Nevertheless I have to say some things about the patch. In my eyes the first quickpatch sent out in the first place when the exploit was posted on bugtraq did for sure fix the bug that let one slip through rtld and become root. I don't think the final patch did patch the root cause though, I know it's up to the FreeBSD Team to give out advisories and patch bugs. I just give my opinion on the bug here. unsetenv FAILS to unset the environment variable, so why is this? Because of the bug that let corrupt the environment. So in my opinion it is not sufficient to patch a code line in one place and leave other instances, where this bug may happen, open to the bug. Env calls are used widely. I did some more auditing and found out that putenv and setenv also FAILS on setting environment variables when the environ array variable is modified directly to corrupt the environment. So it would be possible to set an environment variable which in this case is not UNSETABLE or SETABLE (unsetenv and putenv/setenv respectively), in my eyes this is a bad behaviour of the enviroment handling routines introduced recently in FreeBSD. So the bug is not only in not checking the return values, but also in the code that lets one refuse to set or unset envvars. I do my best to understand it correctly but may be wrong on this. I would be glad to see this fixed soon if not happend to this day, but as I said it's up to the FreeBSD Team that did a great job here. Regards, Nikolaos Rangos