Subject: Re: NetBSD Security Advisory 2001-016: unsafe chdir usage in fts(3)
To: Steven M. Bellovin <smb@research.att.com>
From: David Maxwell <david@vex.net>
List: tech-security
Date: 09/06/2001 14:14:50
On Thu, Sep 06, 2001 at 01:57:57PM -0400, Steven M. Bellovin wrote:
> The instructions here don't (quite?) work. I'll focus on the 1.5
> version, but I think there are bugs in the others as well.
>
> First, 'patch' says that it can't find the file. I suspect that I have
> to use -p3.
That's a good suggestion. I'll discuss that with the Security Officers,
and we'll probably add it to our advisory template.
> Second, will that 'make' recompile the entire world, or
> just libc? I'd guess the former -- shouldn't there be a 'cd lib/libc'
> before the make?
Yes there should be. I'll fix that right now.
> Finally -- and this ties in to another thread -- this is no way to run
> an airline. At least for "supported" systems, it would be nice to have
> a tarball with the recompiled libc plus the static binaries listed
> below. In fact, it's not just nice, it's essential, since everyone
> with more than one machine will now need to create such tarballs for
> themselves. (Multiple architectures? Of course there are multiple
> architectures. How do you know the code works, or even compiles, on
> those architectures if you haven't tried it?) I also note that FreeBSD
> has an experimental binary patch facility, and OpenBSD has a cumulative
> tarball with all patches.
There's no simple answer to the above. The Security Officers endeavour
to provide as complete a service as possible with the volunteer
resources available. There are many things that could be improved - some
take time to setup, some require ongoing resources. A good way to
prepare, test, release, and install binary patches is something we have
an interest in, but there's no complete solution yet.
--
David Maxwell, david@vex.net|david@maxwell.net --> Although some of you out
there might find a microwave oven controlled by a Unix system an attractive
idea, controlling a microwave oven is easily accomplished with the smallest
of microcontrollers. - Russ Hersch - (Microcontroller primer and FAQ)