Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.ysu.edu!news.radio.cz!newsbastard.radio.cz!news.radio.cz!CESspool!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!newsfeed.nacamar.de!news.he.net!news.enteract.com!newsfeed.enteract.com!tqbf From: tqbf@char-star.rdist.org (Thomas H. Ptacek) Newsgroups: comp.unix.bsd.misc,comp.security.unix Subject: Re: *BSD* Security WWW/Mailing List? Date: 23 Apr 1997 21:50:38 GMT Organization: EnterAct, L.L.C. Lines: 59 Message-ID: <slrn5lt11e.ela.tqbf@char-star.rdist.org> References: <3356E1CC.299E@softway.com.au> <335798C2.167EB0E7@freebsd.org> <DERAADT.97Apr18181055@zeus.pacifier.com> <slrn5li6bf.rjd.tqbf@char-star.rdist.org> <5jd1jt$m30@web.nmti.com> <slrn5ll06k.kd3.tqbf@char-star.rdist.org> <5jhur6$51u@innocence.interface-business.de> <slrn5lpvmq.1hm.tqbf@char-star.rdist.org> <5jl4b3$clb@innocence.interface-business.de> Reply-To: tqbf@enteract.com NNTP-Posting-Host: char-star.rdist.org X-Newsreader: slrn (0.9.1.1 BETA UNIX) Xref: euryale.cc.adfa.oz.au comp.unix.bsd.misc:3072 comp.security.unix:33939 23 Apr 1997 13:54:43 GMT j@ida.interface-business.de: >Ok, i see your point, although it's only minor: the difference is >whether only dynamic or any binary is affected. I don't see this as a minor difference. Problems in the dynamic loader can be solved by fixing one piece of code. Problems in the C runtime library require recompilation or patching of every binary on the system. The amount of work involved for admins to fix a problem is a real and relevant issue. >Which `terminal type' that might be a FreeBSD enhancement? If I'm not mistaken, including a terminal type in /etc/ttys is a FreeBSD enhancement. >Besides, /etc/ttys being in the domain of the system administrator, so >whatever it might be, it's at least one order of magnitude less >critical. Uh. It completely breaks securelevels. I think that's fairly critical. Don't you? As stated months ago (I again note that no announcement was made regarding this problem), PID 1 can lower the securelevel (few people realize this). /sbin/init, running on most systems at PID 1, has a stack overflow involving a gettyent() pulling in an overly-long terminal type from /etc/ttys. I don't think this is an "order of magnitude" less critical than anything. >securelevel 2. I think the biggest omission from the securelevel >checks is for /dev/io, which has only recently been changed to Pretty humorous, neh? I don't suppose any of you have bothered to ask Mr. de Raadt about other potential problems with securelevels? He is, as you probably are aware, paying quite a bit of attention to them now that his entire source tree has been audited. >No. Remember, FreeBSD 2.1.7 was quite some months before 2.2. The No, I don't. FreeBSD 2.2-release might have been, but I was running 2.2 on my desktop when the hole was announced. >months before however. It's only that this change never made it back >to the 2.1 branch. That's not true. As I stated when I alerted you to the problem in the first place, 2.2 was, at the time, completely vulnerable as well. The change FreeBSD made which "diminished" the problem was to remove locale processing from crt0 start(), and into the main body of every program that needed it. The libraries affected did *not* changed, and they were still called from privileged code, as I demonstrated at the time. Thanks for allowing me to clear these issues up. --- ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- exit(main(kfp->kargc, argv, environ));