[11559] in bugtraq
Re: FreeBSD (and other BSDs?) local root explot
daemon@ATHENA.MIT.EDU (Todd C. Miller)
Sat Aug 28 15:44:24 1999
Message-Id: <199908271534.JAA27164@xerxes.cs.colorado.edu>
Date: Fri, 27 Aug 1999 09:34:11 -0600
Reply-To: "Todd C. Miller" <Todd.Miller@COURTESAN.COM>
From: "Todd C. Miller" <Todd.Miller@COURTESAN.COM>
X-To: Przemyslaw Frasunek <secure@FREEBSD.LUBLIN.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Tue, 24 Aug 1999 23:47:05 +0200."
<XFMail.990824234705.secure@FreeBSD.lublin.pl>
This looks like the BSD libc fts.c bug discussed here in May.
OpenBSD is not vulnerable to this since it does not follow symlinks
when dumping core. Also, I committed a fix in OpenBSD to the fts.c
bug (based on the bugtraq posting) shortly after it was found.
As a result find did not get a SEGV on OpenBSD-current (and if it
had find.core would not have followed the link anyway).
I have passed along the fts.c patch to the NetBSD folks and I know
that one of the FreeBSD guys was recently working on incorporating
changes from the OpenBSD fts.c. I don't see the relevant change in
FreeBSD-current though.
From discussions on the NetBSD secuirty list it looks like NetBSD
is going to disallow core dumps through a symlink--I would encourage
FreeBSD to do the same.
- todd
