From mboxrd@z Thu Jan  1 00:00:00 1970
From: random832@fastmail.com (Random832)
Date: Sun, 14 May 2017 01:52:30 -0400
Subject: [TUHS] Old Unix vulnerabilities
In-Reply-To: <alpine.BSF.2.20.1705140929150.67621@aneurin.horsfall.org>
References: <alpine.BSF.2.20.1705140929150.67621@aneurin.horsfall.org>
Message-ID: <1494741150.709655.975854064.7B3C6781@webmail.messagingengine.com>

On Sat, May 13, 2017, at 19:34, Dave Horsfall wrote:
> OK, I'll kick it off.
> 
> A beauty in V6 (and possibly V7) was discovered by the kiddies in Elec 
> Eng; by sending a signal with an appropriately-crafted negative value (as 
> determined from inspecting <user.h>) you could overwrite u.u_uid with 
> zero...  Needless to say I scrambled to fix that one on my 11/40 network!

V7 fixes it by changing the if(sig >= NSIG) in psignal to cast it to
unsigned. Kill still doesn't validate its parameter until SysIII and
4BSD. PWB1 does not have the fix.