*BSD News Article 94311


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.ysu.edu!news.radio.cz!newsbastard.radio.cz!news.radio.cz!CESspool!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!newsfeed.nacamar.de!news.he.net!news.enteract.com!newsfeed.enteract.com!tqbf
From: tqbf@char-star.rdist.org (Thomas H. Ptacek)
Newsgroups: comp.unix.bsd.misc,comp.security.unix
Subject: Re: *BSD* Security WWW/Mailing List?
Date: 23 Apr 1997 21:50:38 GMT
Organization: EnterAct, L.L.C.
Lines: 59
Message-ID: <slrn5lt11e.ela.tqbf@char-star.rdist.org>
References: <3356E1CC.299E@softway.com.au> <335798C2.167EB0E7@freebsd.org>  <DERAADT.97Apr18181055@zeus.pacifier.com>  <slrn5li6bf.rjd.tqbf@char-star.rdist.org> <5jd1jt$m30@web.nmti.com>  <slrn5ll06k.kd3.tqbf@char-star.rdist.org>  <5jhur6$51u@innocence.interface-business.de>  <slrn5lpvmq.1hm.tqbf@char-star.rdist.org> <5jl4b3$clb@innocence.interface-business.de>
Reply-To: tqbf@enteract.com
NNTP-Posting-Host: char-star.rdist.org
X-Newsreader: slrn (0.9.1.1 BETA UNIX)
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.misc:3072 comp.security.unix:33939

23 Apr 1997 13:54:43 GMT j@ida.interface-business.de:
>Ok, i see your point, although it's only minor: the difference is
>whether only dynamic or any binary is affected.

I don't see this as a minor difference. Problems in the dynamic loader can
be solved by fixing one piece of code. Problems in the C runtime library
require recompilation or patching of every binary on the system. The
amount of work involved for admins to fix a problem is a real and relevant
issue. 

>Which `terminal type' that might be a FreeBSD enhancement?

If I'm not mistaken, including a terminal type in /etc/ttys is a FreeBSD
enhancement.

>Besides, /etc/ttys being in the domain of the system administrator, so
>whatever it might be, it's at least one order of magnitude less
>critical.

Uh. It completely breaks securelevels. I think that's fairly critical.
Don't you? As stated months ago (I again note that no announcement was
made regarding this problem), PID 1 can lower the securelevel (few people
realize this). /sbin/init, running on most systems at PID 1, has a stack
overflow involving a gettyent() pulling in an overly-long terminal type
from /etc/ttys. 

I don't think this is an "order of magnitude" less critical than anything.

>securelevel 2.  I think the biggest omission from the securelevel
>checks is for /dev/io, which has only recently been changed to

Pretty humorous, neh? I don't suppose any of you have bothered to ask Mr.
de Raadt about other potential problems with securelevels? He is, as you
probably are aware, paying quite a bit of attention to them now that his
entire source tree has been audited. 

>No.  Remember, FreeBSD 2.1.7 was quite some months before 2.2.  The

No, I don't. FreeBSD 2.2-release might have been, but I was running 2.2 on
my desktop when the hole was announced.

>months before however.  It's only that this change never made it back
>to the 2.1 branch.

That's not true. As I stated when I alerted you to the problem in the
first place, 2.2 was, at the time, completely vulnerable as well. The
change FreeBSD made which "diminished" the problem was to remove locale
processing from crt0 start(), and into the main body of every program that
needed it. The libraries affected did *not* changed, and they were still
called from privileged code, as I demonstrated at the time.

Thanks for allowing me to clear these issues up.

--- 
----------------
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com]
----------------
exit(main(kfp->kargc, argv, environ));