From owner-freebsd-security  Fri May 17 11:21:58 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id LAA07426
          for security-outgoing; Fri, 17 May 1996 11:21:58 -0700 (PDT)
Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id LAA07418
          for <security@freebsd.org>; Fri, 17 May 1996 11:21:55 -0700 (PDT)
Received: by halloran-eldar.lcs.mit.edu; (5.65/1.1.8.2/19Aug95-0530PM)
	id AA05895; Fri, 17 May 1996 14:21:48 -0400
Date: Fri, 17 May 1996 14:21:48 -0400
From: Garrett Wollman <wollman@lcs.mit.edu>
Message-Id: <9605171821.AA05895@halloran-eldar.lcs.mit.edu>
To: Paul Traina <pst@shockwave.com>
Cc: "Jordan K. Hubbard" <jkh@time.cdrom.com>, davidg@root.com,
        "Jordan K. Hubbard" <jkh@freefall.freebsd.org>,
        committers@freefall.freebsd.org, security@freebsd.org
Subject: Re: cvs commit: src/sbin Makefile 
In-Reply-To: <199605171749.KAA00487@precipice.shockwave.com>
References: <273.832325899@time.cdrom.com>
	<199605171749.KAA00487@precipice.shockwave.com>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

<<On Fri, 17 May 1996 10:49:43 -0700, Paul Traina <pst@shockwave.com> said:

> Here's my current *DRAFT* advisory, I'm certain it's not perfect
> (i.e. is 2.0.5 and 2.0 affected too?)

Yes.  This bug has been in there since the 2.0.  The fix should be the
same for all release versions of libc (make a diff with -kk so that
the different RCS Ids don't cause the patch to partially fail).

> I definitely want to check to see if NetBSD has this bug too (in
> a different form) so we can warn them.

I'd be very surprised.

> FreeBSD SA-96:09	mount_union unauthorized super-user access

mount_msdos is also affected.  All of the mount_* programs can be
affected if `root' has an insecure path and attempts to mount a
filesystem type not already in the kernel.

> Category:	core
> Module:		mount_union
> Announced:	1996-05-17
> Affects:	FreeBSD 2.1, 2.1-stable, and 2.2-current
> Corrected:	1996-05-17 2.1-stable and 2.2-current sources

Not yet in -stable.  Doing that right now.

> Source:		4.4 BSD bug

No.  4.4 didn't have LKMs.

> FreeBSD only:	unknown

Yes.

-GAWollman

--
Garrett A. Wollman   | Shashish is simple, it's discreet, it's brief. ... 
wollman@lcs.mit.edu  | Shashish is the bonding of hearts in spite of distance.
Opinions not those of| It is a bond more powerful than absence.  We like people
MIT, LCS, ANA, or NSA| who like Shashish.  - Claude McKenzie + Florent Vollant