Date: Wed, 5 Feb 1997 12:46:16 -0600 (CST) From: Karl Denninger <karl@Mcs.Net> To: jgreco@solaria.sol.net (Joe Greco) Cc: karl@Mcs.Net, Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE Message-ID: <199702051846.MAA08211@Jupiter.Mcs.Net> In-Reply-To: <199702051816.MAA13357@solaria.sol.net> from "Joe Greco" at Feb 5, 97 12:16:36 pm
next in thread | previous in thread | raw e-mail | index | archive | help
I wrote: > > NO NO NO NO! > > > > The ENTIRE setlocale() code is a HUGE security problem. Among other things, > > any program which is SUID or SGID Kmem is INSTANTLY penetrable to provide > > access to the resources which would otherwise be "protected". > > > > SETLOCALE MUST BE REMOVED FROM USE UNTIL IT CAN BE FIXED. It is FULL of > > non-bounds-checked calls to string routines. > > > > I have already found setlocale() calls in SEVERAL privileged programs. > > > > Note that Tom Ptaeck WILL be releasing *EXPLOITS AND DETAILS* within one > > week. Either this gets fixed or the world knows how to break in. > > Shut the hell up already. The bull in a china shop routine is getting > very fucking old. You are not being part of the solution, so you are > being part of the problem. No chance. I happen to have already notified people of several related problems, including those in "at" and "crontab". I AM PART OF THE SOLUTION. Look. I've submitted prs before which have been flamed because they weren't "stylized" the way people wanted them, or were just ignored until some time later -- even when SEVERE and SECURITY have shown up in them. Frankly, I'm tired of tilting at windmills. > I have just as much at stake here as you do. I agree that there is a > tank-sized hole. But what needs to happen is some strategizing, so that > a _fix_ can be released. A _fix_ that addresses the concerns. That is > still being discussed. There is complete buy-in and complete consensus, > from everything I can tell, that something MUST be done, and something > WILL be done. The FIX is the go through setlocale() and fix the holes in the code! Nothing else is adequate, and every other path is a LOT more work. And yes, I WILL submit a pr on this as soon as I can find a few hours to do the fix, verify it, and make world to test. At the same time I post it to the committers I'll post it publically, and 24 hours later I post the exploit which takes advantage of the problem. That's as far as I'll go. Frankly, until then setlocale() ought to have a "return()" right after its invocation -- noop the entire routine out until then. Its THAT bad. > It appears to me that a cleanup "security" release (2.1.6.2, or 2.1.7, > or whatever) WILL happen, quite possibly with a bunch of other fixes > as well. Nobody wants that more than me. 2.2 is ALSO affected. That's being IGNORED right now. > It's gonna get fixed, Karl. Now, if you REALLY want to help, drop the > bulldog act, and sign up to do something USEFUL. I'm trying. You can > too! An organization your size must have a C programmer or two, why > not have them spend a day eliminating every single unchecked bounds > string function call that they can? That is how things get DONE. What makes you think we're not doing that. > You might even regain some credibility. > > But we need to make sure that the effort is coordinated. > > ... JG I don't have commit access, and won't wait long for those who do to play with this. If I had it you'd have already seen the commit; I would have stayed up all night last night to code a REAL fix. As it is I won't stay up all night, because I have NO IDEA how long it will take for that to be of benefit -- or if it EVER will be. That's a problem. I don't CARE if you think I have credibility or not. I'm getting email by the BOATLOAD in support of my stance on this issue, from others who are affected and who are mad as hell at the way these issues have been handled in the past and present. My fealty isn't to the core team. Its to the people out there who run the code, and to those who I've recommended use the software in question. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702051846.MAA08211>