From nobody@FreeBSD.org  Wed Dec  2 07:28:04 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D0A5D1065670
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  2 Dec 2009 07:28:04 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id A60F38FC0A
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  2 Dec 2009 07:28:04 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id nB27S4o5083783
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 2 Dec 2009 07:28:04 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id nB27S43I083782;
	Wed, 2 Dec 2009 07:28:04 GMT
	(envelope-from nobody)
Message-Id: <200912020728.nB27S43I083782@www.freebsd.org>
Date: Wed, 2 Dec 2009 07:28:04 GMT
From: Michael <michal.manterys@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Wed Dec  2 08:27:44 CET 2009
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         141095
>Category:       i386
>Synopsis:       Wed Dec  2 08:27:44 CET 2009
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-i386
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec 02 07:30:01 UTC 2009
>Closed-Date:    Wed Dec 02 13:02:24 UTC 2009
>Last-Modified:  Wed Dec  2 13:10:01 UTC 2009
>Originator:     Michael
>Release:        FreeBSD 7.2-STABLE
>Organization:
The state administration.
>Environment:
FreeBSD host 7.2-STABLE FreeBSD 7.2-STABLE #1: Tue Dec  1 19:42:43 CET 2009     manti@host:/usr/src/sys/i386/compile/HQ8_IPFW_IPF  i386
>Description:
http://lists.grok.org.uk/pipermail/full-disclosure/2009-November/071689.html
$ id -a
uid=1018(user) gid=1018(user) groups=1018(user)
$ ./test.sh
env env.c program.c program.o test.sh w00t.so.1.0 FreeBSD local r00t zeroday
by Kingcope
November 2009
env.c: In function 'main':
env.c:5: warning: incompatible implicit declaration of built-in function 'malloc'
env.c:9: warning: incompatible implicit declaration of built-in function 'strcpy'
env.c:11: warning: incompatible implicit declaration of built-in function 'execl'
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
ALEX-ALEX
#id -a
uid=1018(user) gid=1018(user) euid=0(root) groups=1018(user)


>How-To-Repeat:
Install patch:
cd /usr/src/libexec/rtld-elf
fetch http://wojciech.sychut.eu/rtld.patch
patch < rtld.patch
make clean
make
make install


and patch don't work for 7.2-STABLE:

$ id -a
uid=1018(user) gid=1018(user) groups=1018(user)
$ ./test.sh
env env.c program.c program.o test.sh w00t.so.1.0 FreeBSD local r00t zeroday
by Kingcope
November 2009
env.c: In function 'main':
env.c:5: warning: incompatible implicit declaration of built-in function 'malloc'
env.c:9: warning: incompatible implicit declaration of built-in function 'strcpy'
env.c:11: warning: incompatible implicit declaration of built-in function 'execl'
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
ALEX-ALEX
#id -a
uid=1018(user) gid=1018(user) euid=0(root) groups=1018(user)
>Fix:
??

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: remko 
State-Changed-When: Wed Dec 2 13:02:23 UTC 2009 
State-Changed-Why:  
thnx but wr already know this, no meed for a ticket 

http://www.freebsd.org/cgi/query-pr.cgi?pr=141095 

From: "Remko Lodder" <remko@elvandar.org>
To: "Michael" <michal.manterys@gmail.com>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: i386/141095: Wed Dec  2 08:27:44 CET 2009
Date: Wed, 2 Dec 2009 14:04:21 +0100

 Dear Michael,
 
 Thank you for reporting this, we appreciate it. However, we are aware of
 this and are working to get this fixed properly (as you might have seen,
 there are fixes committed) and release a Security Advisory.
 
 There is no need for a PR ticket to get this going, so I have closed it..
 
 Cheers,
 Remko
 
 -- 
 /"\   Best regards,                      | remko@FreeBSD.org
 \ /   Remko Lodder                       | remko@EFnet
  X    http://www.evilcoder.org/          |
 / \   ASCII Ribbon Campaign              | Against HTML Mail and News
 
>Unformatted:
