From owner-freebsd-security Mon Feb 3 11:00:19 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id LAA13756 for security-outgoing; Mon, 3 Feb 1997 11:00:19 -0800 (PST) Received: from super-g.inch.com (super-g.com [204.178.32.161]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA13746 for ; Mon, 3 Feb 1997 11:00:11 -0800 (PST) Received: from localhost (spork@localhost) by super-g.inch.com (8.8.5/8.6.9) with SMTP id OAA23643; Mon, 3 Feb 1997 14:05:44 -0500 (EST) Date: Mon, 3 Feb 1997 14:05:43 -0500 (EST) From: spork X-Sender: spork@super-g.inch.com To: David Greenman cc: tqbf@enteract.com, Torbjorn Ose , freebsd-security@FreeBSD.ORG Subject: Re: Critical Security Problem in 4.4BSD crt0 In-Reply-To: <199702031131.DAA10128@root.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Hello, Now that everyone is all settled on why the bug is there and how bad it is, what is the course of action for those of us using 2.1.6? I've applied the patch posted to Bugtraq, but is there an "official" patch yet from FBSD, Inc.? The one posted to Bugtraq had words like "should, might, maybe"... Or can I pull down some 2.2 source and drop it in? Not a programmer, but wishing I was everytime a new security hole opens, Charles On Mon, 3 Feb 1997, David Greenman wrote: > >> ok, I could be wrong about 2.1.6. Here's the first message I can find that > > > >You are. The problem is "fixed" in -current with patches to setlocale.c > >that check mismatched e/uid and do bounds checking on the string copies, > >but 2.2 doesn't do startup locale processing. 2.1.6 did not resolve this > >problem. > ... > >and anyone with a 2.1.6 installation is vulnerable. The FreeBSD team has > >not made information regarding this problem available to the public, > >although they did silently fix it in -current. > > For the record, the setlocale call from crt0 was removed after a debate > about its architectural [in]correctness and had nothing to do with any > security hole. I'm not aware of any security related fixes to > startup_setrunelocale() in any version of FreeBSD, nor have I seen or > heard (until your report) about any security related problems in any of the > locale code. It sounds like you're suggesting that there was some sort of > coverup, and that simply isn't true. > Anyway, thank you for finding the problem. It's certainly not the only > security hole in past versions of FreeBSD, but with bug reports like yours > and others, we hope to make FreeBSD more secure in the future. > > -DG > > David Greenman > Core-team/Principal Architect, The FreeBSD Project >