From owner-freebsd-security Sun Feb 2 23:48:43 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id XAA13860 for security-outgoing; Sun, 2 Feb 1997 23:48:43 -0800 (PST) Received: from spitfire.ecsel.psu.edu (qmailr@spitfire.ecsel.psu.edu [146.186.218.51]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id XAA13854 for ; Sun, 2 Feb 1997 23:48:39 -0800 (PST) Received: (qmail 13188 invoked by uid 1000); 3 Feb 1997 07:48:35 -0000 Message-ID: <19970203074835.13187.qmail@spitfire.ecsel.psu.edu> To: Security Administrator cc: freebsd-security@freebsd.org, bugtraq@netspace.org Subject: Re: Critical Security Problem in 4.4BSD crt0 In-reply-to: Your message of "Mon, 03 Feb 1997 02:06:55 EST." <199702030706.CAA07764@roundtable.cif.rochester.edu> Date: Mon, 03 Feb 1997 02:48:34 -0500 From: Dan Cross Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Question: Does this problem in 2.1.5 appear in 2.1.6 or 2.1.6.1? Since the > libraries are similar, my guess without comparing code is that the bug > is there. yes, the bug does indeed appear in 2.1.6, at least. Here's an untested patch which SHOULD fix the problem, though: ----- Begin startup_setlocale.diff *** startup_setlocale.c 1997/02/03 07:40:46 1.1 --- startup_setlocale.c 1997/02/03 07:41:47 *************** *** 174,183 **** return(0); } ! (void) strcpy(name, PathLocale); ! (void) strcat(name, "/"); ! (void) strcat(name, encoding); ! (void) strcat(name, "/LC_CTYPE"); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); --- 174,181 ---- return(0); } ! (void) snprintf(name, ! PATH_MAX, "%s/%s/LC_CTYPE", PathLocale, encoding); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); ----- End of startup_setlocale.diff Note that there might be more problems, but I haven't got the time to test for them right now. :-( - Dan C.