Date: Wed, 5 Feb 1997 14:45:57 -0600 (CST) From: Karl Denninger <karl@Mcs.Net> To: guido@gvr.win.tue.nl (Guido van Rooij) Cc: tqbf@enteract.com, karl@Mcs.Net, freebsd-security@freebsd.org, current@freebsd.org Subject: PATCH VERIFIED AGAINST CRONTAB AND AT FOR -CURRENT BRANCH Message-ID: <199702052045.OAA13118@Jupiter.Mcs.Net> In-Reply-To: <199702052021.VAA17555@gvr.win.tue.nl> from "Guido van Rooij" at Feb 5, 97 09:21:39 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> > An advisory for this problem needs to be released immediately. The FreeBSD > > project needs to come to grips with the fact that there are many, many > > people who won't act on a problem until CERT releases an advisory. Until > > that happens, people will remain vulnerable to the problem, regardless of > > how much effort goes into finding "the right fix". > > I only want to make an advisory when we can adise something. At this time > there is still uncertainty about what to do. I think the following > should do the trick: > > 1) patch for crt0.c including something where the env. variable will e > ignored for SUID/SGID programs. This should solve the case where > ppl. want to rebuilt everything > 2) For a binary only fix: > a) new shared libc's for every release since 2.0 > b) the lfix program that patches out the call to startup_setlocale > in the binary; this for every release and including > checks for immutable and append only flags. And of > course a README that wll not leave any doubt on the > exact actions to take. > > That should do the trick. Please correct me if I forgot anything. > > -Guido Ok. My preliminary testing is complete. The patch that I made to setlocale() absolutely does close the hole for "crontab" and "at" in the -CURRENT branch. The exploit Tom provided to me no longer produces a core fault (which indicates that the stack frame got clobbered, and that minor adjustments to it would produce a root shell prompt instead). As such, I expect that the rest of the problem is *ALSO* fixed with the patch that I posted to the security and current lists. Critique away. If there isn't a DAMN GOOD reason not to commit that fix, I believe it should go in. Like now. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702052045.OAA13118>