From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 17:50:09 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E0BCD1065676 for ; Tue, 1 Dec 2009 17:50:09 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 426B78FC0A for ; Tue, 1 Dec 2009 17:50:09 +0000 (UTC) Received: by bwz5 with SMTP id 5so3700073bwz.3 for ; Tue, 01 Dec 2009 09:50:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=+eXdDzlH9YZH8vPnWzj1yD9EEDfz9GrDAGbEk17rulE=; b=NFDuQHONPlCAyqCvY5fuPu+ftvhq95vv0OMR7SAzmuB7LMuuzMn7T6KwPpo0Lp5ypS 9Vsbn65w4TIBcR4OarkWqZpRAvfMX+BgdeKY29GrJxEFkpO6XVPxZzbAo4+lB1MmbO9a E2MbczKp2aRNdF7WozDd3GNpC1dG7LM7lxbz0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=cg3QmHuYzRur6OPtCDD8EC2AzNv0I4HnAMruJ+Xs40q4GhXDB/NtPisvMB0tqi+dxD aBgREEa969MkHri2FWa/TE5xYED6oapAdrRewRKQlSM9VmjM9CK4RBfkY+K30gJQK4qm P4xoEY4tSbEKy5+y6YNjkAl3PNBBN+ykYP0rQ= MIME-Version: 1.0 Received: by 10.102.211.35 with SMTP id j35mr2128559mug.35.1259689807929; Tue, 01 Dec 2009 09:50:07 -0800 (PST) In-Reply-To: References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <20091201111627.GC4920@borusse.borussiapark> <86skbuet3x.fsf@ds4.des.no> <4B154635.2050209@obluda.cz> Date: Tue, 1 Dec 2009 18:50:07 +0100 Message-ID: <6101e8c40912010950j70540b6bj140eddbf0f3d7bba@mail.gmail.com> From: Oliver Pinter To: "Sean C. Farley" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Dan Lukes , freebsd security Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 17:50:10 -0000 http://twitter.com/spendergrsec/status/6223864530 http://xorl.wordpress.com/2009/12/01/freebsd-ld_preload-security-bypass/ On 12/1/09, Sean C. Farley wrote: > On Tue, 1 Dec 2009, Dan Lukes wrote: > >> Dag-Erling Sm=F8rgrav napsal/wrote, On 12/01/09 14:12: >>> As to the second: yes, 6.1 is most likely affected. >> >> Probably no. >> >> The older algorithm used in 6.1 looks like >> ----------------- >> if (trusted) { >> variable =3D getenv(NAME); >> .... >> ----------------- >> >> The affected algorithm looks like: >> ----------------- >> if (!trusted) { >> unsetenv(NAME); >> ... >> }; >> variable =3D getenv(NAME); >> ----------------- >> >> As far as I know such change has been MFCed into 6.3, 6.4, 7.x but not >> into 6.1. So 6.1 should not be affected by this bug (but remain >> vulnerable to problem that triggered the change of old algorithm to >> new). > > That is correct. 6.x should not be affected. The security issue exists > with the combination of the getenv() to unsetenv() change in rtld.c and > the addition of the new env code. The unsetenv() in 6.x would not stop > if environ was corrupted. > > Sean > -- > scf@FreeBSD.org