From owner-freebsd-security Sat Feb 8 22:54:14 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id WAA02183 for security-outgoing; Sat, 8 Feb 1997 22:54:14 -0800 (PST) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA02178 for ; Sat, 8 Feb 1997 22:54:11 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.6/8.6.5) with SMTP id WAA07032; Sat, 8 Feb 1997 22:55:01 -0800 (PST) Message-Id: <199702090655.WAA07032@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: tqbf@enteract.com cc: sadmin@roundtable.cif.rochester.edu, freebsd-security@freebsd.org Subject: Re: 2.1.7 In-reply-to: Your message of "Sun, 09 Feb 1997 00:24:46 CST." <199702090625.AAA18562@enteract.com> From: David Greenman Reply-To: dg@root.com Date: Sat, 08 Feb 1997 22:55:01 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >> Installing the fixed libc should solve the problem for everything that is >> built the standard, dynamic/'shared library' way. > >crt0 is dynamically linked? I don't see the kernel resolving dynamic >loading - I thought that was crt0's job. Am I wrong? crt0 is static and part of every binary. The real problem is with what crt0 calls - _startup_setlocale() in libc, which does a getenv of PATH_LOCALE and copies it to a stack buffer without bounds checking. I removed the getenv call from the libc code, so this attack simply doesn't exist anymore. Anything that is built shared/dynamic will get the new libc and thus will no longer be vulnerable. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project