FreeBSD Security Advisory FreeBSD-SA-09:16.rtld

[Nikolaos Rangos]

Hello all,

First of all this was a real quick patch time for the rtld bug.
Nevertheless I have to say some things about the patch.

In my eyes the first quickpatch sent out in the first place when
the exploit was posted on bugtraq did for sure fix the bug that
let one slip through rtld and become root.
I don't think the final patch did patch the root cause though,
I know it's up to the FreeBSD Team to give out advisories
and patch bugs. I just give my opinion on the bug here.

unsetenv FAILS to unset the environment variable, so why is this?
Because of the bug that let corrupt the environment. So in my opinion
it is not sufficient to patch a code line in one place and leave other
instances, where
this bug may happen, open to the bug. Env calls are used widely.

I did some more auditing and found out that putenv and setenv also FAILS
on setting environment variables when the environ array variable is modified
directly to corrupt the environment. So it would be possible to set an
environment
variable which in this case is not UNSETABLE or SETABLE (unsetenv and
putenv/setenv
respectively), in my eyes this is a bad behaviour of the enviroment handling
routines
introduced recently in FreeBSD. So the bug is not only in not checking the
return values,
but also in the code that lets one refuse to set or unset envvars. I do my
best to understand
it correctly but may be wrong on this.
I would be glad to see this fixed soon if not happend to this day, but as I
said it's up to the
FreeBSD Team that did a great job here.

Regards,

Nikolaos Rangos