Re: FreeBSD (and other BSDs?) local root explot

[Todd.Miller () COURTESAN COM (Todd C. Miller)]

This looks like the BSD libc fts.c bug discussed here in May.
OpenBSD is not vulnerable to this since it does not follow symlinks
when dumping core.  Also, I committed a fix in OpenBSD to the fts.c
bug (based on the bugtraq posting) shortly after it was found.
As a result find did not get a SEGV on OpenBSD-current (and if it
had find.core would not have followed the link anyway).

I have passed along the fts.c patch to the NetBSD folks and I know
that one of the FreeBSD guys was recently working on incorporating
changes from the OpenBSD fts.c.  I don't see the relevant change in
FreeBSD-current though.

is going to disallow core dumps through a symlink--I would encourage
FreeBSD to do the same.

 - todd