Upcoming FreeBSD Security Advisory
Oliver Pinter
oliver.pntr at gmail.com
Tue Dec 1 17:50:10 UTC 2009
http://twitter.com/spendergrsec/status/6223864530
http://xorl.wordpress.com/2009/12/01/freebsd-ld_preload-security-bypass/
On 12/1/09, Sean C. Farley <scf at freebsd.org> wrote:
> On Tue, 1 Dec 2009, Dan Lukes wrote:
>
>> Dag-Erling Smørgrav napsal/wrote, On 12/01/09 14:12:
>>> As to the second: yes, 6.1 is most likely affected.
>>
>> Probably no.
>>
>> The older algorithm used in 6.1 looks like
>> -----------------
>> if (trusted) {
>> variable = getenv(NAME);
>> ....
>> -----------------
>>
>> The affected algorithm looks like:
>> -----------------
>> if (!trusted) {
>> unsetenv(NAME);
>> ...
>> };
>> variable = getenv(NAME);
>> -----------------
>>
>> As far as I know such change has been MFCed into 6.3, 6.4, 7.x but not
>> into 6.1. So 6.1 should not be affected by this bug (but remain
>> vulnerable to problem that triggered the change of old algorithm to
>> new).
>
> That is correct. 6.x should not be affected. The security issue exists
> with the combination of the getenv() to unsetenv() change in rtld.c and
> the addition of the new env code. The unsetenv() in 6.x would not stop
> if environ was corrupted.
>
> Sean
> --
> scf at FreeBSD.org
More information about the freebsd-security
mailing list