--mP3DRpeJDSE+ciuQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 12, 2004 at 06:58:20AM -0600, Jacques A. Vidrine wrote: > On Fri, Mar 12, 2004 at 12:15:26PM +0100, Marc Olzheim wrote: > > On Fri, Mar 12, 2004 at 01:06:57PM +0200, Ruslan Ermilov wrote: > > > And the fact that optind is initially set to 1. I wonder what > > > could be the implications for setuid programs. There could be > > > quite unpredictable results, as the "argv" pointer is incorrectly > > > advanced in this case, and at least several setuid programs that > > > I've glanced at are vulnerable to this attack. > >=20 > > See also: http://www.freebsd.org/cgi/query-pr.cgi?pr=3D33738 >=20 > Thanks Ruslan, Marc, >=20 > I think kern/33738 is on the money. I do not see any immediate > ramifications, but for peace of mind I believe that exec should fail if > the argument array pointer is NULL. >=20 > I believe this would be consistent with the relevant standards: POSIX > already requires (a) that the first argument ``should point to a > filename that is associated with the process being started'' and (b) > ``the last member of this array is a null pointer''--- i.e. the array > pointer cannot be NULL. >=20 I will track it down later today, and follow-up with what I have. Cheers, --=20 Ruslan Ermilov FreeBSD committer ru@FreeBSD.org --mP3DRpeJDSE+ciuQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAUdTYUkv4P6juNwoRAixQAKCBSw56kFsoRc4aG86/dF/mOArQFgCfeHvd ObYBZ5wWQnSm1EH7BVbgufw= =Yj5+ -----END PGP SIGNATURE----- --mP3DRpeJDSE+ciuQ--