From owner-freebsd-security Wed Oct 4 10:49:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 82F9237B502 for ; Wed, 4 Oct 2000 10:49:49 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.0/8.11.0) with ESMTP id e94HnlM16501; Wed, 4 Oct 2000 11:49:48 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id LAA38070; Wed, 4 Oct 2000 11:49:47 -0600 (MDT) Message-Id: <200010041749.LAA38070@harmony.village.org> To: K2 Subject: Re: OpenBSD Security Advisory Cc: security@freebsd.org In-reply-to: Your message of "Wed, 04 Oct 2000 00:31:03 PDT." <39DADCB7.4E416D8B@ktwo.ca> References: <39DADCB7.4E416D8B@ktwo.ca> Date: Wed, 04 Oct 2000 11:49:47 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've had two requests from users to go through this and report on FreeBSD's status. I answered the fstat's portion in earlier mail, so I'll just say we aren't vulnerable and haven't been for a long long time. Since we're not vulnerable to any of these, I have a problem posting that to bugtraq as those sorts of messages tend to create a lot of clutter and ill will. In message <39DADCB7.4E416D8B@ktwo.ca> K2 writes: : There is also su, although it is only exploitable by the : usershell=format string, there is a possibility that somebody have a : third party application set the user shell to something that may be : malicious. Why no even passing mention in their "Daily Changelog" or : their security pages? : : ---- SNIP -- SNIP ---- : rain:/usr/src/libexec/talkd# su - ktwo : su: /usr/local/bin/bash0x00x1b150xdfbfdc8c0xdfbfdc280xdfbfdc2c: No such : file or directory : rain:/usr/src/libexec/talkd# cat /etc/passwd|grep ktwo : ktwo:*:100:100:what's your : style,,,:/home/ktwo:/usr/local/bin/bash%p%p%p%p%p FreeBSD has been immmune to this attack for a long time (since at least 1994, maybe earlier): 1.1 (rgrimes 27-May-94): err(1, "%s", shell); : talkd, A DEFAULT service. FreeBSD has never had this hole, as far as I can tell. We don't use fprintf here, but instead we build an iovect list up. : WOW what about photurisd? We don't have photurisd. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message