Bugtraq mailing list archives

Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio

From: "Steven M. Bellovin" <smb () research att com>
Date: Mon, 22 Apr 2002 18:30:25 -0400

It's amazing that this has taken so long to resurface.  This is an 
ancient bug -- see, for example, Henry Spencer's suid man page from 
1987 
(http://groups.google.com/groups?q=checklist+security+setuid+-linux+group:alt.security&hl=en&scoring=r&selm=1991May14.101450.830%40convex.com&rnum=1
quotes it).  The document notes, among other pieces of sage advice, the 
following:

        One or more of the standard descriptors might be closed, so that
        an opened file might get (say) descriptor 1, causing chaos if the
        program tries to do a
        .IR printf .

I seem to recall the same suggestion in an early document by Jim Ellis 
and (I think) Tom Truscott, but I can't find a copy at the moment.


                --Steve Bellovin, http://www.research.att.com/~smb
                Full text of "Firewalls" book now at http://www.wilyhacker.com

Current thread:

FreeBSD Security Advisory FreeBSD-SA-02:23.stdio FreeBSD Security Advisories (Apr 22)
- Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio bert hubert (Apr 22)
- Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio Theo de Raadt (Apr 22)
- <Possible follow-ups>
- Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio Steven M. Bellovin (Apr 23)
  - trusting user-supplied data (was Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio) James Ralston (Apr 24)