[25225] in bugtraq
Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Tue Apr 23 15:00:49 2002
From: "Steven M. Bellovin" <smb@research.att.com>
To: Bugtraq <bugtraq@securityfocus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 22 Apr 2002 18:30:25 -0400
Message-Id: <20020422223025.94EAB7B4B@berkshire.research.att.com>
It's amazing that this has taken so long to resurface. This is an
ancient bug -- see, for example, Henry Spencer's suid man page from
1987 (http://groups.google.com/groups?q=checklist+security+setuid+-linux+group:alt.security&hl=en&scoring=r&selm=1991May14.101450.830%40convex.com&rnum=1
quotes it). The document notes, among other pieces of sage advice, the
following:
One or more of the standard descriptors might be closed, so that
an opened file might get (say) descriptor 1, causing chaos if the
program tries to do a
.IR printf .
I seem to recall the same suggestion in an early document by Jim Ellis
and (I think) Tom Truscott, but I can't find a copy at the moment.
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com
