[11479] in bugtraq
Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()
daemon@ATHENA.MIT.EDU (Tymm Twillman)
Sat Aug 21 21:19:09 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.SGI.4.05.9908191335350.309615-100000@tiger.coe.missouri.edu>
Date: Thu, 19 Aug 1999 13:38:37 -0500
Reply-To: Tymm Twillman <tymm@COE.MISSOURI.EDU>
From: Tymm Twillman <tymm@COE.MISSOURI.EDU>
X-To: Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <lcamtuf.4.05.9907040317190.356-100000@nimue.ids.pl>
And as Chris Evans pointed out on linux-security, libncurses on RedHat is
built with -DPURE_TERMINFO, which keeps it from using the buggy buffer
code in libtermcap.
-Tymm
On Sun, 4 Jul 1999, Michal Zalewski wrote:
> On Sun, 4 Jul 1999, Michal Zalewski wrote:
>
> > [...] most of terminfo-based programs will accept TERM variable set to
> > eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap
> > file', set TERM, then execute vunerable program w/terminfo support. In
> > fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many
> > other recent distributions based on terminfo entries/, is vunerable...
>
> Oh, haven't said, for clearance... I'm talking about terminfo support and
> tgetent() function implemented in libncurses, which is buggy as well,
> while ncurses allows '../' tricks.
>
> _______________________________________________________________________
> Michal Zalewski [lcamtuf@ids.pl] [link / marchew] [dione.ids.pl SYSADM]
> [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
> [voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69]
> Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
>
