Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 5 Feb 1997 13:20:21 +1100 (EST)
From:      "Daniel O'Callaghan" <danny@panda.hilink.com.au>
To:        Karl Denninger <karl@Mcs.Net>, spork <spork@super-g.com>, jgreco@solaria.sol.net, security@freebsd.org
Subject:   Re: Question: 2.1.7?
Message-ID:  <Pine.BSF.3.91.970205094216.822F-100000@panda.hilink.com.au>
In-Reply-To: <Pine.BSF.3.91.970205071344.822A-100000@panda.hilink.com.au>

next in thread | previous in thread | raw e-mail | index | archive | help


On Wed, 5 Feb 1997, I wrote:

> On Tue, 4 Feb 1997, Karl Denninger wrote:
> > There are static-linked executables which are shipped SUID with most FreeBSD
> > implementations.  THESE MUST BE RECOMPILED ALSO!
> > 
> > Make very, very sure you don't have any old SUID executables laying around.
> > If you do, you're vulnerable even with a libc fix.
> 
> Thanks, I am aware of this.  The package will include replacement static 
> suid binaries.

As pointed out later in the discussion, there are also scarey thoughts of 
non-suid binaries becoming vulnerable by being run by root at some stage.
I have no pretensions of completely understanding all of the 
interrelationships amongst cc, libc and the generated programs, (learning 
fast, mind you), so I'd like to concentrate my efforts to the Project on 
a more cosmetic level.

At the basic level, to fix the crt0() problem in 2.1.x, one needs to 
rebuild libc with a new crt0(), and rebuild all statically linked binaries.
It has been suggested that a 'make world' is needed, replacing all 
binaries, just in case.  If I'm going to make security update packages 
for 2.1.0 and 2.1.5/6, I'd like some comments on what needs to be included.

Danny



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.970205094216.822F-100000>