--0vzXIDBeUiKkjNJl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 12, 2004 at 06:58:20AM -0600, Jacques A. Vidrine wrote: > On Fri, Mar 12, 2004 at 12:15:26PM +0100, Marc Olzheim wrote: > > On Fri, Mar 12, 2004 at 01:06:57PM +0200, Ruslan Ermilov wrote: > > > And the fact that optind is initially set to 1. I wonder what > > > could be the implications for setuid programs. There could be > > > quite unpredictable results, as the "argv" pointer is incorrectly > > > advanced in this case, and at least several setuid programs that > > > I've glanced at are vulnerable to this attack. > >=20 > > See also: http://www.freebsd.org/cgi/query-pr.cgi?pr=3D33738 >=20 > Thanks Ruslan, Marc, >=20 > I think kern/33738 is on the money. I do not see any immediate > ramifications, but for peace of mind I believe that exec should fail if > the argument array pointer is NULL. >=20 > I believe this would be consistent with the relevant standards: POSIX > already requires (a) that the first argument ``should point to a > filename that is associated with the process being started'' and (b) > ``the last member of this array is a null pointer''--- i.e. the array > pointer cannot be NULL. >=20 As Garrett already pointed out in the PR log, have you considered this? http://www.opengroup.org/onlinepubs/007904975/functions/execve.html#tag_03_= 130_08 I'm happy with changing our behavior to Strictly Conforming for the goods of security, and you? Cheers, --=20 Ruslan Ermilov FreeBSD committer ru@FreeBSD.org --0vzXIDBeUiKkjNJl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAUds4Ukv4P6juNwoRAggyAJ9fSMInyRNirSHvEUe3vWDunGIoJwCdGZ9D KFfxioR9lic6sGOHry/N4jM= =1mUE -----END PGP SIGNATURE----- --0vzXIDBeUiKkjNJl--