[7182] in bugtraq
Re: ncurses 4.1 security bug
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Tue Jul 7 19:56:14 1998
Date: Tue, 7 Jul 1998 19:28:28 -0400
Reply-To: perry@piermont.com
From: "Perry E. Metzger" <perry@PIERMONT.COM>
X-To: Duncan Simpson <dps@IO.STARGATE.CO.UK>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Tue, 07 Jul 1998 20:06:11 BST."
<199807071906.UAA10451@io.stargate.co.uk>
Duncan Simpson writes:
> ncurses version 4.1 fails to drop priviledges before opening the
> termcap database and you can set any file(s) you like.
This is not a bug. ncurses is a *library*, not a *program*. It is up
to suid programs to drop privileges, not every call that invokes them --
or are you going to declare the fact that fopen() doesn't drop
privileges a "bug"?
.pm
