[11576] in bugtraq
Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()
daemon@ATHENA.MIT.EDU (Carlo M. Arenas Belon)
Sun Aug 29 02:19:57 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.02.9908241834520.10741-100000@chasqui.LaRed.net.pe>
Date: Tue, 24 Aug 1999 18:45:21 -0400
Reply-To: "Carlo M. Arenas Belon" <carenas@CHASQUI.LARED.NET.PE>
From: "Carlo M. Arenas Belon" <carenas@CHASQUI.LARED.NET.PE>
X-To: Kurt Wall <kwall@XMISSION.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19990822164834.F15790@xmission.com>
<SNIP>
> > The problem with telnetd is that you can pass a terminal name that indicates
> > 'use a local file'. Now the ncurses library then goes 'ok leading slash
> > all well and good', Im not suid uid==euid, lets open it as root and read a
> > few bytes. You can't do much with it - you can rewind the machines tape
> > drive for example however. Also if your termcap parser has bugs you can
> > hit those.
>
> This is fixed in the latest (pre-)release of ncurses-5.0. From the release
> notes posted to bug-ncurses mailing list (as of last night) from da man
> hissef:
>
> 990821 pre-release
> + updated configure macros CF_MAKEFLAGS, CF_CHECK_ERRNO
> + minor corrections to beterm terminfo entry.
> + modify lib_setup.c to reject values of $TERM which have a '/' in them.
>
> So, version 5.0 will no longer accept $TERM that has a slash in it at all,
> much less a leading one. I haven't looked closely at the source code, but a
> similar change to the 4.2 sources, the version most distributions are using
> now, should address this at least where tgetent() is concerned.
from a COL2.2 system
ldd /usr/sbin/in.telnetd
libncurses.so.4 => /lib/libncurses.so.4 (0x40018000)
libc.so.6 => /lib/libc.so.6 (0x4005a000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
i think someone should fix the last post on Caldera's homepage regarding
this vulnerability
http://www.calderasystems.com/news/security/CSSA-1999:020.0.txt
.... Olaf? ;)
> > It is a very nice example of why saying "lets ignore XYZ variable" is not
> > security but a quick fix for emergencies. If you don't fix the code it
> > will get you..
>
> Yep...
wise words
Carlo
