From owner-freebsd-security Thu Feb 13 00:34:02 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id AAA26637 for security-outgoing; Thu, 13 Feb 1997 00:34:02 -0800 (PST) Received: from minor.stranger.com (stranger.vip.best.com [204.156.129.250]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id AAA26627 for ; Thu, 13 Feb 1997 00:33:57 -0800 (PST) Received: from dog.farm.org (dog.farm.org [207.111.140.47]) by minor.stranger.com (8.6.12/8.6.12) with ESMTP id AAA22875; Thu, 13 Feb 1997 00:44:54 -0800 Received: (from dk@localhost) by dog.farm.org (8.7.5/dk#3) id AAA05430; Thu, 13 Feb 1997 00:36:23 -0800 (PST) Date: Thu, 13 Feb 1997 00:36:23 -0800 (PST) From: Dmitry Kohmanyuk Message-Id: <199702130836.AAA05430@dog.farm.org> To: dev@trifecta.com (Dev Chanchani) Cc: freebsd-security@freebsd.org Subject: Re: 2.1.7 Newsgroups: cs-monolit.gated.lists.freebsd.security Organization: FARM Computing Association Reply-To: dk+@ua.net X-Newsreader: TIN [version 1.2 PL2] Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In article you wrote: > > The real problem is with what crt0 calls - _startup_setlocale() in libc, > > which does a getenv of PATH_LOCALE and copies it to a stack buffer without > > bounds checking. I removed the getenv call from the libc code, so this attack > > simply doesn't exist anymore. Anything that is built shared/dynamic will > > get the new libc and thus will no longer be vulnerable. > I was under the impression that re-building libc would not work because > such utilities as ping, at, etc are built statically, thus having the > buggy code in the utilities. Hmm, I have just thought about the following: in / fs: /bin -> /usr/bin /sbin -> /usr/sbin then: / fs has /usr with statically-linked /usr/bin and /usr/sbin /usr fs has /usr/bin and /usr/sbin with dynamically-linked versions of the same utilities. this has the advantage of all binaries using dynamic libs when running multiuser. The space overhead should be pretty small, and changes to source tree pretty simple... Can be a bit tricky to install, though. (and doesn't work for those who don't have /usr mounted separately.) (btw, on my recently compiled 2.2 system, there is /usr/sbin/rtquery (dynamic) and /sbin/rtquery (static), /usr/sbin/routed (dynamic) and /sbin/routed (static), /usr/sbin/ipftest and /sbin/ipftest (both dynamic). ) opinions? -- "Reality is a poor escapism for people who cannot handle roleplaying" -- toriver@pvv.unit.no (Tor Iver Wilhelmsen)