Re: ncurses 4.1 security bug

From: Geoffrey KEATING (geoffkat_private)
Date: Tue Jul 14 1998 - 01:34:46 PDT

Next message: Jon Torrez: "Re: Slackware Shadow Insecurity"

Previous message: Raj Singh: "[FWD] Attention: Please update your imapd"
Maybe in reply to: Duncan Simpson: "ncurses 4.1 security bug"
Next in thread: Alexander Kjeldaas: "Re: ncurses 4.1 security bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> In C++ _you cant_
>
> C++ global object constructors are called in pretty much arbitary
> order before
> main() is entererd.
>
> Its an interesting reason not to write setuid apps in C++ 8)

Note that with ELF shared libraries, it is possible to have a shared
library (written in C, C++, or any other language) that also has
constructors that get executed before any code from the executable
(possibly apart from crt0) gets run.  So you can upgrade a
harmless-looking library and make your system insecure because it was
used by a setuid executable...

--
Geoff Keating <Geoff.Keatingat_private>

Next message: Jon Torrez: "Re: Slackware Shadow Insecurity"
Previous message: Raj Singh: "[FWD] Attention: Please update your imapd"
Maybe in reply to: Duncan Simpson: "ncurses 4.1 security bug"
Next in thread: Alexander Kjeldaas: "Re: ncurses 4.1 security bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:04:06 PDT