Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()

From: Olaf Kirch (okirat_private)
Date: Thu Aug 19 1999 - 12:42:08 PDT

Next message: Erik Nielsen: "Re: FW: DCOM attack against NT using VB6"

Previous message: Martin Schulze: "Insecure use of file in /tmp by trn"
Maybe in reply to: Bill Nottingham: "[RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()"
Next in thread: Alan Cox: "Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Jul 04, 1999 at 03:19:38AM +0200, Michal Zalewski wrote:
> Oh, haven't said, for clearance... I'm talking about terminfo support and
> tgetent() function implemented in libncurses, which is buggy as well,
> while ncurses allows '../' tricks.

Do you have any more information about this problem? As far as I can remember,
ncurses doesn't do much parsing with a terminfo file, so there's little
harm that can be done here. Or do you have a demonstrable exploit?

Olaf
--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okirat_private  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okirat_private    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.

Next message: Erik Nielsen: "Re: FW: DCOM attack against NT using VB6"
Previous message: Martin Schulze: "Insecure use of file in /tmp by trn"
Maybe in reply to: Bill Nottingham: "[RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()"
Next in thread: Alan Cox: "Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:37 PDT