[7217] in bugtraq
Re: ncurses 4.1 security bug
daemon@ATHENA.MIT.EDU (matthew green)
Fri Jul 10 15:06:13 1998
Date: Fri, 10 Jul 1998 19:35:50 +1000
Reply-To: mrg@ETERNA.COM.AU
From: matthew green <mrg@ETERNA.COM.AU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Wed, 08 Jul 1998 15:53:27 +0100."
<m0ytvb6-000aQFC@the-village.bc.nu>
> > 1. The libraries will use message catalogs and may open them before
> > you do
>
> In NetBSD, the message catalogs we use don't work that way, so I
> suppose I'm not familiar with this issue.
Does libc load message databases of your choice - like say /dev/tape ? The
problems are those of dropping privliedges early enough. As to the bug list
thats real apps that need fixing - and should be fixed regardless of whether
people bandaid ncurses.
how do you fix this? how does a _library_ know this? openbsd has defined an
issetugid() syscall (or something) that libraries could use to ignore the
things like $TAPE and $TERMCAP, etc., but that isn't correct. how does it
know what the real userid _really_ is, to perform the necessary checks on
whether a file will be used or not -- or do you simple say that priviledged
programs don't get this functionality?
i also don't see how the linux setfsuid() really helps here, either.
i've had fixing this in problem in my TODO liist for over 2 years but
without a total solution i've left it as is for now. these are the
variables listed that NetBSD uses that i've determined are affected:
- TZ
- TERMCAP
- HOSTALIASES
