From owner-freebsd-security Tue Feb 4 02:16:46 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id CAA07159 for security-outgoing; Tue, 4 Feb 1997 02:16:46 -0800 (PST) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id CAA07150 for ; Tue, 4 Feb 1997 02:16:41 -0800 (PST) From: proff@suburbia.net Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id CAA23827 for ; Tue, 4 Feb 1997 02:18:05 -0800 (PST) Received: (qmail 15152 invoked by uid 110); 4 Feb 1997 10:16:17 -0000 Message-ID: <19970204101617.15151.qmail@suburbia.net> Subject: Re: Critical Security Problem in 4.4BSD crt0 In-Reply-To: from "Charles M. Hannum" at "Feb 3, 97 01:11:36 pm" To: mycroft@GNU.AI.MIT.EDU Date: Tue, 4 Feb 1997 21:16:17 +1100 (EST) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > "Thomas H. Ptacek" writes: > > > > > The issue is that FreeBSD 2.1.5's crt0.c start() routine, which calls the > > "main()" entry point function in the program that is starting, will under > > some circumstances call routines that set the "locale" of the program. The > > routines that do this are heavily dependant on environment variables, > > which are in some circumstances copied directly into local character > > buffers on the stack of the locale routines. > > I'd like to point out that, despite the subject line, this hole has > nothing to do with 4.4BSD; it is specific to FreeBSD, and does *not* > affect other 4.4BSD-derived systems. > Yes, it does. But not by crt0.