On Thu, 9 Jul 1998, Casper Dik wrote: > >ncurses version 4.1 fails to drop priviledges before opening the > >termcap database and you can set any file(s) you like. I am not sure > >any setuid program allows an exploit but this is not good in any case. > >Here is a patch that stops that game. (Using the patch requires > >autoconf because I have not supplied diffs against the configure > >script). > > It seems to me that the below fix is broken; what happens if: [...] > Juggling with uids in the library is hard; you don't know what the > original uids were and you really have no way to find out. Oh my God, just another "confused deputy" (see [1])! The library has got a filename (or a part of it). It has no reliable way to figure out the credentials of a user who provided the filename. Even if it had them, it would have no guarantee about being able to use them. Moreover, there is no guarantee regarding the integrity the file, any data read from it are "tainted". All code of the library dealing with these data must be absolutely free of vulnerabilities. There should be a law abolishing complex set*id programs. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "You can't be truly paranoid unless you're sure they have already got you." [1] Hardy, N., "The Confused Deputy", http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:08 PDT