VULHUB ™

The OpenBSD kernel, as a security measure, checks that the C library standard I/O file descriptors 0-2 are valid open files before exec()ing setuid images. If any of these descriptors are closed, they are opened as a new file descriptor to /dev/null. An error exists in this check. If the kernel file descriptor table is full, an error will occur when the new file descriptor fails to open. This condition does not, however, prevent the exec() call. This may result in untrusted, attacker supplied data being written to sensitive I/O channels. Local root compromise has been confirmed as a possible consequence. This issue is also reported to affect SCO UnixWare 7.1.1 and Open UNIX 8.0.0.

The OpenBSD kernel, as a security measure, checks that the C library standard I/O file descriptors 0-2 are valid open files before exec()ing setuid images. If any of these descriptors are closed, they are opened as a new file descriptor to /dev/null. An error exists in this check. If the kernel file descriptor table is full, an error will occur when the new file descriptor fails to open. This condition does not, however, prevent the exec() call. This may result in untrusted, attacker supplied data being written to sensitive I/O channels. Local root compromise has been confirmed as a possible consequence. This issue is also reported to affect SCO UnixWare 7.1.1 and Open UNIX 8.0.0.