And as Chris Evans pointed out on linux-security, libncurses on RedHat is built with -DPURE_TERMINFO, which keeps it from using the buggy buffer code in libtermcap. -Tymm On Sun, 4 Jul 1999, Michal Zalewski wrote: > On Sun, 4 Jul 1999, Michal Zalewski wrote: > > > [...] most of terminfo-based programs will accept TERM variable set to > > eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap > > file', set TERM, then execute vunerable program w/terminfo support. In > > fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many > > other recent distributions based on terminfo entries/, is vunerable... > > Oh, haven't said, for clearance... I'm talking about terminfo support and > tgetent() function implemented in libncurses, which is buggy as well, > while ncurses allows '../' tricks. > > _______________________________________________________________________ > Michal Zalewski [lcamtufat_private] [link / marchew] [dione.ids.pl SYSADM] > [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: > [voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69] > Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:35 PDT