Date: Fri, 12 Mar 2004 12:15:26 +0100 From: Marc Olzheim <marcolz@stack.nl> To: Ruslan Ermilov <ru@FreeBSD.org> Cc: security@FreeBSD.org Subject: Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv. Message-ID: <20040312111526.GA14260@stack.nl> In-Reply-To: <20040312110657.GB52099@ip.net.ua> References: <200403120922.i2C9M0jC002510@stud326.idi.ntnu.no> <20040312104914.GA52099@ip.net.ua> <20040312105730.GA99925@stud326.idi.ntnu.no> <20040312110657.GB52099@ip.net.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Mar 12, 2004 at 01:06:57PM +0200, Ruslan Ermilov wrote: > And the fact that optind is initially set to 1. I wonder what > could be the implications for setuid programs. There could be > quite unpredictable results, as the "argv" pointer is incorrectly > advanced in this case, and at least several setuid programs that > I've glanced at are vulnerable to this attack. See also: http://www.freebsd.org/cgi/query-pr.cgi?pr=33738 Marc
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040312111526.GA14260>