[11447] in bugtraq
Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Fri Aug 20 22:35:11 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <lcamtuf.4.05.9907040637020.396-100000@nimue.ids.pl>
Date: Sun, 4 Jul 1999 06:38:57 +0200
Reply-To: Michal Zalewski <lcamtuf@IDS.PL>
From: Michal Zalewski <lcamtuf@IDS.PL>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.SGI.4.05.9908191335350.309615-100000@tiger.coe.missouri.edu>
On Thu, 19 Aug 1999, Tymm Twillman wrote:
> And as Chris Evans pointed out on linux-security, libncurses on RedHat
> is built with -DPURE_TERMINFO, which keeps it from using the buggy
> buffer code in libtermcap.
...not quite true - we're able to cause at least several SEGVs in ncurses'
tgetent() function by putting junk into terminfo files. Simply, try some
brute-force algorithms. I don't want to discuss about possible
consequences of this bug, as we haven't checked carefully terminfo format,
nor parser code.
_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
