[1655] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: SNI-20: Telnetd tgetent vulnerability

daemon@ATHENA.MIT.EDU (David Holland)
Wed Oct 22 16:01:13 1997

From: David Holland <dholland@eecs.harvard.edu>
To: linux-security@redhat.com
Date: Wed, 22 Oct 1997 13:37:22 -0400 (EDT)
In-Reply-To: <Pine.BSI.3.96.971021182323.367A-100000@silence.secnet.com> from "Secure Networks Inc." at Oct 21, 97 06:24:02 pm
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

 > [mod: Executive summary: SNI found recent linux-distributions
 > not-vulnerable -- REW]

Well, it looks a little more complicated than that. If your telnetd is
linked against GNU termcap (as opposed to ncurses), it seems that
there *is* a vulnerability; it looks like GNU termcap doesn't check
for overflow of the initial name portion of the terminal type.

ncurses doesn't touch the buffer in question at all.

-- 
   - David A. Holland             |    VINO project home page:
     dholland@eecs.harvard.edu    | http://www.eecs.harvard.edu/vino

--
----------------------------------------------------------------------
Please refere to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post