[blah blah] > November 1997. In fact, that's the same example I used (../../../tmp/x). > On my test system at the time (Slackware), longer pathnames would be > chopped off at the end. > > In general, I consider it dangerous for a program running with elevated > privileges to trust a user-supplied terminfo/termcap file. Last year I > found a buffer overflow in ncurses and OpenBSD was changed to not trust > user-supplied term files when the invoked program is setuid/setgid. A > reasonable precaution; too much could go wrong otherwise. If that is the only check it is using then openbsd may well also be volnerable at least to part 2 of the bug if they use termcap/terminfo with their telnetd. Linux opens termcap and other files as the real not effective uid. For many of these files ignoring them isnt an option. Users get peeved when they discover suid programs run in a US time zone, with English texts and fonts. The problem with telnetd is that you can pass a terminal name that indicates 'use a local file'. Now the ncurses library then goes 'ok leading slash all well and good', Im not suid uid==euid, lets open it as root and read a few bytes. You can't do much with it - you can rewind the machines tape drive for example however. Also if your termcap parser has bugs you can hit those. It is a very nice example of why saying "lets ignore XYZ variable" is not security but a quick fix for emergencies. If you don't fix the code it will get you.. Alan
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:49 PDT