Date: Sat, 08 Feb 1997 22:55:01 -0800 From: David Greenman <dg@root.com> To: tqbf@enteract.com Cc: sadmin@roundtable.cif.rochester.edu, freebsd-security@freebsd.org Subject: Re: 2.1.7 Message-ID: <199702090655.WAA07032@root.com> In-Reply-To: Your message of "Sun, 09 Feb 1997 00:24:46 CST." <199702090625.AAA18562@enteract.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>> Installing the fixed libc should solve the problem for everything that is >> built the standard, dynamic/'shared library' way. > >crt0 is dynamically linked? I don't see the kernel resolving dynamic >loading - I thought that was crt0's job. Am I wrong? crt0 is static and part of every binary. The real problem is with what crt0 calls - _startup_setlocale() in libc, which does a getenv of PATH_LOCALE and copies it to a stack buffer without bounds checking. I removed the getenv call from the libc code, so this attack simply doesn't exist anymore. Anything that is built shared/dynamic will get the new libc and thus will no longer be vulnerable. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702090655.WAA07032>