Bugtraq mailing list archives

Re: ncurses 4.1 security bug

From: imp () VILLAGE ORG (Warner Losh)
Date: Thu, 9 Jul 1998 14:23:28 -0600


In message <m0ytvb6-000aQFC () the-village bc nu> Alan Cox writes:
: C++ global object constructors are called in pretty much arbitary
: order before main() is entererd.

That's not entirely correct.  C++ global object constructors need to be
initialized before they are referenced, even if they are in a
dynamically linked in library.  This is traditionally done with a call
to _main() as the first thing in main().

However, that nit-picking aside, you are correct that you cannot
predict when the ctors will be called.

: Its an interesting reason not to write setuid apps in C++ 8)

Or just don't use global objects that have ctors.  It is arguably bad
form anyway :-).  Well, you could use global objects, so long as they
don't need to do privileged things, or carelessly rely on user input..

Warner

Current thread:

ncurses 4.1 security bug Duncan Simpson (Jul 07)
- Re: ncurses 4.1 security bug Perry E. Metzger (Jul 07)
  - Re: ncurses 4.1 security bug Alan Cox (Jul 08)
    - Re: ncurses 4.1 security bug Perry E. Metzger (Jul 08)
    - Re: ncurses 4.1 security bug Alan Cox (Jul 08)
    - Re: ncurses 4.1 security bug Warner Losh (Jul 09)
    - Re: ncurses 4.1 security bug David Schwartz (Jul 09)
    - Re: ncurses 4.1 security bug matthew green (Jul 10)
    - Re: ncurses 4.1 security bug Theo de Raadt (Jul 10)
    - Re: ncurses 4.1 security bug Wietse Venema (Jul 12)
    - Seattle Lab fixes security issue in SLmail Aleph One (Jul 12)
    - Re: ncurses 4.1 security bug David Schwartz (Jul 09)
    - sshd gives out version number Tom Dyas (Jul 09)
  - Forwared to me Raymond Medeiros (Jul 08)
    - Re: Forwared to me Solar Designer (Jul 09)
    - Remote count.cgi exploit mods _ _ (Jul 09)

(Thread continues...)