From owner-freebsd-security Thu Feb 6 08:10:23 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA07737 for security-outgoing; Thu, 6 Feb 1997 08:10:23 -0800 (PST) Received: from coven.queeg.com (queeg.com [204.95.70.218]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA07689 for ; Thu, 6 Feb 1997 08:10:10 -0800 (PST) Received: (from brion@localhost) by coven.queeg.com (8.8.5/8.8.4) id IAA13359; Thu, 6 Feb 1997 08:07:59 -0800 (PST) Date: Thu, 6 Feb 1997 08:07:59 -0800 (PST) Message-Id: <199702061607.IAA13359@coven.queeg.com> From: Brion Moss To: Vadim Kolontsov Cc: freebsd-security@freebsd.org Subject: Re:summury: holes in locale In-Reply-To: References: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Any patchkit should also include the patches to the source; otherwise the security-patched binary version may be clobbered by someone rebuilding from source later on. I think it would be a big win if the security patch system worked using the pkg system; that way it would be easy to tell what patches had been applied (all you would need to do is run pkg_info). Maybe even add a -P option to pkg_info to show all installed patches...the solaris patch system works this way, and it's one of the nicer things about solaris. -Brion Vadim Kolontsov writes: > Hello, > > the summary about patchkit. > > Patchkit must understand all versions of FreeBSD, and make a correct > changes in the system. It must contain: > > 1) corrected /usr/lib/libc.a, libc.so.* > 2) corrected /usr/lib/crt0.o > 3) lfix, which patches statically linked binaries (why to > patch dinamically linked bins? we already fixed this bug placing patched > libc in /usr/lib, isn't it?) > 4) some script, which can make all modification automatically; it must > check if we are working in single-user mode (to avoid problem with > running binaries) > 5) good README > > My part of project: lfix/ltest. I have to make changes in it, because at > this time lfix/ltest tested only on FreeBSD 2.1.0 (by me). Also checking > for static/dyn linking can be added.. and chflag handling.. > > I still don't know what we need to do with statically linked binaries > which calls locale stuff by itself.. may be we can patch libc, contained > in binary (pattern search for _startup_locale code etc)?... of course, > recompiling is the solution... > > Anybody knows, how many statically linked setuid binaries call locale > routines by itself? (not by their C startup module) May be, we can include > corrected (recompiled) versions of them into the patchkit?.. For all > versions of FreeBSD? > > Any ideas, suggestions, volunteers?.. > > Best regards, Vadim. > -------------------------------------------------------------------------- > Vadim Kolontsov SysAdm/Programmer > Tver Regional Center of New Information Technologies Networks Lab > >