Regarding user-supplied terminfo files... |autopsy!user52810at_private| suggested this feature, as found in the terminfo man page, might be malaciously used in a custom terminfo file: -np Number of pages of memory c100-4p Possibile to crash a machine using this? Anyone? Thanks to Jason Parsons <rootat_private> for pointing this one out: [fx@somehost fx]$ export DISPLAY="" [fx@somehost fx]$ telnet . Trying 0.0.0.0... Connected to .. Escape character is '^]'. Red Hat Linux release 4.2 (Biltmore) Kernel 2.0.30 on an i586 login: telnet> send esc telnet> quit Connection closed. [fx@somehost fx]$ export DISPLAY="1234567890123456789012345678901234567890123 45678901234567890123456789012345678901234567890123456789012345678901234567890 12345678901234567890123456789012345678901234567890123456789012345645678901234 56789012345678901234567890123456789012345678901234567890123456" [fx@somehost fx]$ telnet . Trying 0.0.0.0... Connected to .. Escape character is '^]'. Segmentation fault (core dumped) [fx@somehost fx]$ ls -l core -rw------- 1 fx nnh 315392 Dec 1 21:51 core [fx@somehost fx]$ That's 256 characters up there, BTW. Also, note we're setting the DISPLAY variable this time, not TERM. Lastly, while doing some testing, I discovered that setting my TERM variable to a 256-character string under Solaris 2.5.1 caused my bash shell session to crash, dump core and log me out. This may or may not have been mentioned on Bugtraq before, and may or may not be due to missing patches. Pardon my vagueness, but I've been swamped lately and really don't have much time to explore these problems in more detail. . _ _ _ _ . . _ _ . . _ _ _ . . : |-||-||<|_||\| |_|-||\/||-'|->|_-|_|_ Dalhousie University, Halifax, NS `--------------------------------------------- [fx!aaronat_private] ----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:34:02 PDT