[7193] in bugtraq
Re: ncurses 4.1 security bug
daemon@ATHENA.MIT.EDU (Alan Cox)
Thu Jul 9 14:07:38 1998
Date: Wed, 8 Jul 1998 13:45:58 +0100
Reply-To: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
X-To: perry@piermont.com
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199807072328.TAA02237@jekyll.piermont.com> from "Perry E.
Metzger" at Jul 7, 98 07:28:28 pm
> Duncan Simpson writes:
> > ncurses version 4.1 fails to drop priviledges before opening the
> > termcap database and you can set any file(s) you like.
>
> This is not a bug. ncurses is a *library*, not a *program*. It is up
> to suid programs to drop privileges, not every call that invokes them --
> or are you going to declare the fact that fopen() doesn't drop
> privileges a "bug"?
Depends how you care to look at it. I can agree with your reasoning.
In which case there is a bug in
screen (as root so very bad)
dosemu
mutt
several bsd-games packages
and almost every other setuid/setgid binary that uses ncurses,termcap or slang
anywhere on the planet today. Also of course any setuid/setgid applications
using NLS or TZ. The latter is far nastier because
1. The libraries will use message catalogs and may open them before
you do
2. If you are using C++ your constructors can't call libc in this case
as the order of constructors isnt defined
3. Is anyones ld.so internationalised ? Which OS's have C libraries
that load TZ or NLS data at library initialisation time before
the app starts.
4. Dropping TZ or NLS when setuid is really obnoxious - Japanese users
will love having mutt, screen, and things like su in English.
And of course your comment is inconsistent with LD_PRELOAD handling on
every OS so far - ld.so is a shared object too.
Alan
