Date: Mon, 1 Jul 1996 09:05:16 +0200 (MET DST) From: J Wunsch <j@uriah.heep.sax.de> To: ache@nagual.ru (=?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?=) Cc: joerg@freefall.freebsd.org, CVS-committers@freefall.freebsd.org, cvs-all@freefall.freebsd.org, cvs-gnu@freefall.freebsd.org Subject: Re: cvs commit: src/gnu/usr.bin/perl/perl perl.c Message-ID: <199607010705.JAA09816@uriah.heep.sax.de> In-Reply-To: <199606301641.UAA00915@nagual.ru> from "[?KOI8-R?]" at "Jun 30, 96 08:41:47 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
As [?KOI8-R?] wrote: > > Back out Nate's changes from rev. 1.6; our Perl has not been > > vulnerable since it used setreuid() as opposed to Posix saved IDs. > > The change broke setuid scripts. > > ??? How this change can broke setuid scripts? Do you mean that It did. I'm regularly using some, and all they broke (at various places, not just one machine). It called taintperl, and fed the script as an ``fd script'', but nothing ever happened. > perl author supply incorrect patch? In combination with our already modified sources, yes. (We don't use Posix saved IDs, we switched to setreuid().) -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607010705.JAA09816>