Date: Thu, 7 Sep 2000 11:22:10 +0200 (CEST) From: Paul Herman <pherman@frenchfries.net> To: Neil Blakey-Milner <nbm@mithrandr.moria.org> Cc: Kris Kennaway <kris@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <Pine.BSF.4.21.0009071114230.354-100000@bagabeedaboo.security.at12.de> In-Reply-To: <20000907104925.A37872@mithrandr.moria.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 7 Sep 2000, Neil Blakey-Milner wrote: > On Thu 2000-09-07 (10:12), Vladimir Mencl, MK, susSED wrote: > > > > However, I think that FreeBSD is vulnerable with the sudo port > > installed. > > > > Although sudo discards some dangerous environment variables (LD_LIBRARY_PATH) > > it does pass the LC_ALL, PATH_LOCALE variables through. > > Why would someone install the sudo RedHat package on FreeBSD? :) I think he meant the FreeBSD sudo port, which in turn *may* sudo a Linux binary. (yes, I know, not so likely, but...) However, this thread only talked about vulnerable Linux programs under emulation. There were indeed two advisories this last weekend, the glibc advisory (linux only) and the locale advisory, which AFAIK affects other platforms (Solaris is affected, for example.) I've been following freebsd-security, but I haven't seen any confirmation one way or the other (except for linux binaries mentioned in this thread.) Kris, is FreeBSD itself vulnerable to the locale vuln.? -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009071114230.354-100000>