From owner-freebsd-security@FreeBSD.ORG  Fri Mar 12 03:15:26 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id BBE3316A4CE; Fri, 12 Mar 2004 03:15:26 -0800 (PST)
Received: from mailhost.stack.nl (vaak.stack.nl [131.155.140.140])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 1DE8243D31; Fri, 12 Mar 2004 03:15:26 -0800 (PST)
	(envelope-from marcolz@stack.nl)
Received: from hammer.stack.nl (hammer.stack.nl [2001:610:1108:5010::153])
	by mailhost.stack.nl (Postfix) with ESMTP
	id 40519BCC#4ECF81F017; Fri, 12 Mar 2004 12:15:24 +0100 (CET)
Received: by hammer.stack.nl (Postfix, from userid 333)
	id 5D9A161B7; Fri, 12 Mar 2004 12:15:26 +0100 (CET)
Date: Fri, 12 Mar 2004 12:15:26 +0100
From: Marc Olzheim <marcolz@stack.nl>
To: Ruslan Ermilov <ru@FreeBSD.org>
Message-ID: <20040312111526.GA14260@stack.nl>
References: <200403120922.i2C9M0jC002510@stud326.idi.ntnu.no>
	<20040312104914.GA52099@ip.net.ua>
	<20040312105730.GA99925@stud326.idi.ntnu.no>
	<20040312110657.GB52099@ip.net.ua>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040312110657.GB52099@ip.net.ua>
X-Operating-System: FreeBSD hammer.stack.nl 5.2-CURRENT FreeBSD 5.2-CURRENT
X-URL: http://www.stack.nl/~marcolz/
User-Agent: Mutt/1.5.6i
cc: Morten Rodal <morten@rodal.no>
cc: security@FreeBSD.org
Subject: Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2)
	with no argv.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2004 11:15:26 -0000

On Fri, Mar 12, 2004 at 01:06:57PM +0200, Ruslan Ermilov wrote:
> And the fact that optind is initially set to 1.  I wonder what
> could be the implications for setuid programs.  There could be
> quite unpredictable results, as the "argv" pointer is incorrectly
> advanced in this case, and at least several setuid programs that
> I've glanced at are vulnerable to this attack.

See also: http://www.freebsd.org/cgi/query-pr.cgi?pr=33738

Marc