From owner-freebsd-security Mon Feb 3 10:12:01 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id KAA11844 for security-outgoing; Mon, 3 Feb 1997 10:12:01 -0800 (PST) Received: from melange.gnu.ai.mit.edu (melange.gnu.ai.mit.edu [128.52.46.66]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA11815 for ; Mon, 3 Feb 1997 10:11:57 -0800 (PST) Received: by melange.gnu.ai.mit.edu (8.7.5/8.6.12GNU) id NAA02231; Mon, 3 Feb 1997 13:11:42 -0500 (EST) To: tqbf@enteract.com Cc: bugtraq@netspace.org, freebsd-security@freebsd.org Subject: Re: Critical Security Problem in 4.4BSD crt0 References: <199702030554.XAA07517@enteract.com> From: mycroft@gnu.ai.mit.edu (Charles M. Hannum) Date: 03 Feb 1997 13:11:36 -0500 In-Reply-To: "Thomas H. Ptacek"'s message of Sun, 2 Feb 1997 23:54:54 -0600 (CST) Message-ID: Lines: 15 X-Mailer: Gnus v5.3/Emacs 19.34 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk "Thomas H. Ptacek" writes: > > The issue is that FreeBSD 2.1.5's crt0.c start() routine, which calls the > "main()" entry point function in the program that is starting, will under > some circumstances call routines that set the "locale" of the program. The > routines that do this are heavily dependant on environment variables, > which are in some circumstances copied directly into local character > buffers on the stack of the locale routines. I'd like to point out that, despite the subject line, this hole has nothing to do with 4.4BSD; it is specific to FreeBSD, and does *not* affect other 4.4BSD-derived systems.