<SNIP> > > The problem with telnetd is that you can pass a terminal name that indicates > > 'use a local file'. Now the ncurses library then goes 'ok leading slash > > all well and good', Im not suid uid==euid, lets open it as root and read a > > few bytes. You can't do much with it - you can rewind the machines tape > > drive for example however. Also if your termcap parser has bugs you can > > hit those. > > This is fixed in the latest (pre-)release of ncurses-5.0. From the release > notes posted to bug-ncurses mailing list (as of last night) from da man > hissef: > > 990821 pre-release > + updated configure macros CF_MAKEFLAGS, CF_CHECK_ERRNO > + minor corrections to beterm terminfo entry. > + modify lib_setup.c to reject values of $TERM which have a '/' in them. > > So, version 5.0 will no longer accept $TERM that has a slash in it at all, > much less a leading one. I haven't looked closely at the source code, but a > similar change to the 4.2 sources, the version most distributions are using > now, should address this at least where tgetent() is concerned. from a COL2.2 system ldd /usr/sbin/in.telnetd libncurses.so.4 => /lib/libncurses.so.4 (0x40018000) libc.so.6 => /lib/libc.so.6 (0x4005a000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) i think someone should fix the last post on Caldera's homepage regarding this vulnerability http://www.calderasystems.com/news/security/CSSA-1999:020.0.txt .... Olaf? ;) > > It is a very nice example of why saying "lets ignore XYZ variable" is not > > security but a quick fix for emergencies. If you don't fix the code it > > will get you.. > > Yep... wise words Carlo
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:24 PDT