[25208] in bugtraq
Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Mon Apr 22 17:37:14 2002
Message-Id: <200204221923.g3MJNpAi011846@cvs.openbsd.org>
To: security-advisories@freebsd.org
Cc: Bugtraq <bugtraq@securityfocus.com>
In-reply-to: Your message of "Mon, 22 Apr 2002 11:01:35 PDT."
<200204221801.g3MI1Zu96486@freefall.freebsd.org>
Date: Mon, 22 Apr 2002 13:23:51 -0600
From: Theo de Raadt <deraadt@cvs.openbsd.org>
> Topic: insecure handling of stdio file descriptors
They didn't say so, but this work was obviously based on:
RCS file: /cvs/src/sys/kern/kern_exec.c,v
...
revision 1.20
date: 1998/07/02 08:53:04; author: deraadt; state: Exp; lines: +38 -1
for sugid procs ensure that fd 0-2 are allocated slots (by pointing at
/dev/null -- future patch will use a dead vnode of some sort) to prevent
reuse (ie. new allocations) of these fd which libc makes many assumptions
about; problem noted by James Youngman
