Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld



Sorry, this might seem a stupid question, but...
In several places I read that FreeBSD 6.x is NOT affected; however, I
heard some people discussing how to apply the patch to such systems.
So, I'd like to know for sure: is 6.x affected? Is another patch on the
way for it?

bye & Thanks
av.

The change that introduced the bug was made as follows:

| Revision 1.124: download - view: text, markup, annotated - select for diffs
| Thu May 17 18:00:27 2007 UTC (2 years, 6 months ago) by csjp
| Branches: MAIN
| CVS tags: RELENG_7_BP, RELENG_7_0_BP, RELENG_7_0_0_RELEASE, RELENG_7_0
| Branch point for: RELENG_7
| Diff to: previous 1.123: preferred, colored
| Changes since revision 1.123: +20 -10 lines
|
| In the event a process is tainted (setuid/setgid binaries), un-set any
| potentially dangerous environment variables all together. It should be
| noted that the run-time linker will not honnor these environment variables
| if the process is tainted currently. However, once a child of the tainted
| process calls setuid(2), it's status as being tainted (as defined by
| issetugid(2)) will be removed. This could be problematic because
| subsequent activations of the run-time linker could honnor these
| dangerous variables.
|
| This is more of an anti foot-shot mechanism, there is nothing I am
| aware of in base that does this, however there may be third party
| utilities which do, and there is no real negative impact of clearing
| these environment variables.
|
| Discussed on: secteam
| Reviewed by: cperciva
| PR: kern/109836
| MFC after: 2 weeks

This was also ported MFC'd into 6.3 onwards:

| Revision 1.106.2.7: download - view: text, markup, annotated - select for diffs
| Sat Jul 14 19:04:00 2007 UTC (2 years, 4 months ago) by csjp
| Branches: RELENG_6
| CVS tags: RELENG_6_4_BP, RELENG_6_3_BP, RELENG_6_3_0_RELEASE, RELENG_6_3
| Branch point for: RELENG_6_4
| Diff to: previous 1.106.2.6: preferred, colored; branchpoint 1.106: preferred, colored; next MAIN 1.107: preferred, colored
| Changes since revision 1.106.2.6: +20 -10 lines
|
| MFC rtld.c revision 1.124
|
| Unset potentially harmful environment variables.
|
| Discussed on: seacteam
| PR: kern/109836


So, yes, FreeBSD 6.3-RELEASE upwards are affected - FreeBSD 6.2 isn't.
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld
    ... In several places I read that FreeBSD 6.x is NOT affected; however, I heard some people discussing how to apply the patch to such systems. ... | potentially dangerous environment variables all together. ... | noted that the run-time linker will not honnor these environment variables ...
    (FreeBSD-Security)
  • Re: [OT] Q: what would you choose for a VCS today
    ... FreeBSD as base that would allow better teams cooperation and easy code ... control fly out the window from, say, the 42nd floor. ... If you think you need a vendor branch, take a look at mercurial patch ... Patch queues are quite powerful, and even though you end up versioning ...
    (freebsd-hackers)
  • RE: For the love of God, is it even possible to make the Atheros ath.patch & updated HALactually
    ... > # mv ath_hal_20051212 ath ... in hopes that maybe the patch was FINALLY ... This FreeBSD installation is sitting here doing ... To June/July 2005 madwifi was very unstable, after merging cvs BSD tree of ...
    (freebsd-current)
  • Re: NAT-T patch for 7-STABLE
    ... the NAT-T patch from HEAD to 7-STABLE: ... I also merged back the NAT-T changes from FreeBSD 8/HEAD. ... (basically the cvs checkout and the tarball creation; ... and the port isn't ready to be used as a automatic port as you have to do ...
    (freebsd-net)
  • Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv
    ... > There's no patch for these, and in the case of the embedded ... >>FreeBSD only: NO ... In a few instances in the resolver code, ... >>can spoof DNS messages) may produce a specially crafted DNS message ...
    (FreeBSD-Security)