From owner-cvs-gnu  Mon Jul  1 01:04:37 1996
Return-Path: owner-cvs-gnu
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id BAA08342
          for cvs-gnu-outgoing; Mon, 1 Jul 1996 01:04:37 -0700 (PDT)
Received: from irz301.inf.tu-dresden.de (irz301.inf.tu-dresden.de [141.76.1.11])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id AAA07171;
          Mon, 1 Jul 1996 00:55:49 -0700 (PDT)
Received: from sax.sax.de by irz301.inf.tu-dresden.de (8.6.12/8.6.12-s1) with ESMTP id JAA17620; Mon, 1 Jul 1996 09:53:07 +0200
Received: (from uucp@localhost) by sax.sax.de (8.6.12/8.6.12-s1) with UUCP id JAA10868; Mon, 1 Jul 1996 09:53:04 +0200
Received: (from j@localhost) by uriah.heep.sax.de (8.7.5/8.6.9) id JAA09816; Mon, 1 Jul 1996 09:05:16 +0200 (MET DST)
From: J Wunsch <j@uriah.heep.sax.de>
Message-Id: <199607010705.JAA09816@uriah.heep.sax.de>
Subject: Re: cvs commit:  src/gnu/usr.bin/perl/perl perl.c
To: ache@nagual.ru (=?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?=)
Date: Mon, 1 Jul 1996 09:05:16 +0200 (MET DST)
Cc: joerg@freefall.freebsd.org, CVS-committers@freefall.freebsd.org,
        cvs-all@freefall.freebsd.org, cvs-gnu@freefall.freebsd.org
In-Reply-To: <199606301641.UAA00915@nagual.ru> from "[?KOI8-R?]" at "Jun 30, 96 08:41:47 pm"
X-Phone: +49-351-2012 669
X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F  93 21 E0 7D F9 12 D6 4E 
X-Mailer: ELM [version 2.4ME+ PL17 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-cvs-gnu@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

As [?KOI8-R?] wrote:

> >   Back out Nate's changes from rev. 1.6; our Perl has not been
> >   vulnerable since it used setreuid() as opposed to Posix saved IDs.
> >   The change broke setuid scripts.
> 
> ??? How this change can broke setuid scripts? Do you mean that

It did.  I'm regularly using some, and all they broke (at various
places, not just one machine).  It called taintperl, and fed the
script as an ``fd script'', but nothing ever happened.

> perl author supply incorrect patch?

In combination with our already modified sources, yes.  (We don't use
Posix saved IDs, we switched to setreuid().)

-- 
cheers, J"org

joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
Never trust an operating system you don't have sources for. ;-)