Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SNI-20: Telnetd tgetent vulnerability

From: aleph1 () DFW NET (Aleph One)
Date: Wed, 22 Oct 1997 16:10:49 -0500

---------- Forwarded message ----------
Date: Wed, 22 Oct 1997 13:37:22 -0400 (EDT)
From: David Holland <dholland () eecs harvard edu>
To: linux-security () redhat com
Subject: [linux-security] Re: SNI-20: Telnetd tgetent vulnerability


[mod: Executive summary: SNI found recent linux-distributions
not-vulnerable -- REW]


Well, it looks a little more complicated than that. If your telnetd is
linked against GNU termcap (as opposed to ncurses), it seems that
there *is* a vulnerability; it looks like GNU termcap doesn't check
for overflow of the initial name portion of the terminal type.

ncurses doesn't touch the buffer in question at all.

--
   - David A. Holland             |    VINO project home page:
     dholland () eecs harvard edu    | http://www.eecs.harvard.edu/vino

--
----------------------------------------------------------------------
Please refere to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request () redhat com < /dev/null
Previous By Date Next
Previous By Thread Next

Current thread: