From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 16:59:57 2009 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A77371065692 for ; Tue, 1 Dec 2009 16:59:57 +0000 (UTC) (envelope-from scf@FreeBSD.org) Received: from mail.farley.org (mail.farley.org [IPv6:2001:470:1f0f:20:2::11]) by mx1.freebsd.org (Postfix) with ESMTP id 52C188FC19 for ; Tue, 1 Dec 2009 16:59:57 +0000 (UTC) Received: from thor.farley.org (HPooka@thor.farley.org [IPv6:2001:470:1f0f:20:1::5]) by mail.farley.org (8.14.3/8.14.3) with ESMTP id nB1GxuXu052434; Tue, 1 Dec 2009 10:59:56 -0600 (CST) (envelope-from scf@FreeBSD.org) Date: Tue, 1 Dec 2009 10:59:56 -0600 (CST) From: "Sean C. Farley" To: Dan Lukes In-Reply-To: <4B154635.2050209@obluda.cz> Message-ID: References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <20091201111627.GC4920@borusse.borussiapark> <86skbuet3x.fsf@ds4.des.no> <4B154635.2050209@obluda.cz> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="56599777-1565117765-1259686796=:68765" X-Spam-Status: No, score=-2.6 required=4.0 tests=AWL,BAYES_00,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mail.farley.org Cc: freebsd security Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 16:59:57 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --56599777-1565117765-1259686796=:68765 Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8BIT On Tue, 1 Dec 2009, Dan Lukes wrote: > Dag-Erling Smørgrav napsal/wrote, On 12/01/09 14:12: >> As to the second: yes, 6.1 is most likely affected. > > Probably no. > > The older algorithm used in 6.1 looks like > ----------------- > if (trusted) { > variable = getenv(NAME); > .... > ----------------- > > The affected algorithm looks like: > ----------------- > if (!trusted) { > unsetenv(NAME); > ... > }; > variable = getenv(NAME); > ----------------- > > As far as I know such change has been MFCed into 6.3, 6.4, 7.x but not > into 6.1. So 6.1 should not be affected by this bug (but remain > vulnerable to problem that triggered the change of old algorithm to > new). That is correct. 6.x should not be affected. The security issue exists with the combination of the getenv() to unsetenv() change in rtld.c and the addition of the new env code. The unsetenv() in 6.x would not stop if environ was corrupted. Sean -- scf@FreeBSD.org --56599777-1565117765-1259686796=:68765--