Posted by Philip Pettersson on Oct 01

Hi, this is a notice about CVE-2015-5889 which was fixed today in
APPLE-SA-2015-09-30-3.

I reported this issue to Apple in July 2015.

The default root-suid binary /usr/bin/rsh on Mac OS X uses execv() in
an insecure manner.

Most system libraries on OSX use issetugid(2) when initializing to
determine if certain environment variables are safe to use. When
executing a setuid binary as an unprivileged user, variables such as
DYLD_* will be cleared…