[5430] in bugtraq
Re: SNI-20: Telnetd tgetent vulnerability
daemon@ATHENA.MIT.EDU (Aleph One)
Wed Oct 22 19:37:48 1997
Date: Wed, 22 Oct 1997 16:10:49 -0500
Reply-To: Aleph One <aleph1@DFW.NET>
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
---------- Forwarded message ----------
Date: Wed, 22 Oct 1997 13:37:22 -0400 (EDT)
From: David Holland <dholland@eecs.harvard.edu>
To: linux-security@redhat.com
Subject: [linux-security] Re: SNI-20: Telnetd tgetent vulnerability
> [mod: Executive summary: SNI found recent linux-distributions
> not-vulnerable -- REW]
Well, it looks a little more complicated than that. If your telnetd is
linked against GNU termcap (as opposed to ncurses), it seems that
there *is* a vulnerability; it looks like GNU termcap doesn't check
for overflow of the initial name portion of the terminal type.
ncurses doesn't touch the buffer in question at all.
--
- David A. Holland | VINO project home page:
dholland@eecs.harvard.edu | http://www.eecs.harvard.edu/vino
--
----------------------------------------------------------------------
Please refere to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null
