[11495] in bugtraq
Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()
daemon@ATHENA.MIT.EDU (Kurt Wall)
Tue Aug 24 15:04:59 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990822164834.F15790@xmission.com>
Date: Sun, 22 Aug 1999 16:48:34 -0600
Reply-To: Kurt Wall <kwall@XMISSION.COM>
From: Kurt Wall <kwall@XMISSION.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <E11IW9S-0001fX-00@the-village.bc.nu>; from Alan Cox on Sun,
Aug 22, 1999 at 12:51:04PM +0100
Also sprach Alan Cox:
> [blah blah]
>
[Linux opens files with real not effective UID]
> The problem with telnetd is that you can pass a terminal name that indicates
> 'use a local file'. Now the ncurses library then goes 'ok leading slash
> all well and good', Im not suid uid==euid, lets open it as root and read a
> few bytes. You can't do much with it - you can rewind the machines tape
> drive for example however. Also if your termcap parser has bugs you can
> hit those.
This is fixed in the latest (pre-)release of ncurses-5.0. From the release
notes posted to bug-ncurses mailing list (as of last night) from da man
hissef:
990821 pre-release
+ updated configure macros CF_MAKEFLAGS, CF_CHECK_ERRNO
+ minor corrections to beterm terminfo entry.
+ modify lib_setup.c to reject values of $TERM which have a '/' in them.
So, version 5.0 will no longer accept $TERM that has a slash in it at all,
much less a leading one. I haven't looked closely at the source code, but a
similar change to the 4.2 sources, the version most distributions are using
now, should address this at least where tgetent() is concerned.
> It is a very nice example of why saying "lets ignore XYZ variable" is not
> security but a quick fix for emergencies. If you don't fix the code it
> will get you..
Yep...
Kurt
--
Life's too short to dance with ugly women.
