[7263] in bugtraq
Re: ncurses 4.1 security bug
daemon@ATHENA.MIT.EDU (Geoffrey KEATING)
Tue Jul 14 16:33:03 1998
Date: Tue, 14 Jul 1998 18:34:46 +1000
Reply-To: Geoffrey KEATING <geoffk@DISCUS.ANU.EDU.AU>
From: Geoffrey KEATING <geoffk@DISCUS.ANU.EDU.AU>
X-To: ben@ALGROUP.CO.UK
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <35A744E9.7317A812@algroup.co.uk> (message from Ben Laurie on
Sat, 11 Jul 1998 11:56:41 +0100)
> In C++ _you cant_
>
> C++ global object constructors are called in pretty much arbitary
> order before
> main() is entererd.
>
> Its an interesting reason not to write setuid apps in C++ 8)
Note that with ELF shared libraries, it is possible to have a shared
library (written in C, C++, or any other language) that also has
constructors that get executed before any code from the executable
(possibly apart from crt0) gets run. So you can upgrade a
harmless-looking library and make your system insecure because it was
used by a setuid executable...
--
Geoff Keating <Geoff.Keating@anu.edu.au>
