Bugtraq mailing list archives

Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()

From: okir () MONAD SWB DE (Olaf Kirch)
Date: Thu, 19 Aug 1999 21:42:08 +0200


On Sun, Jul 04, 1999 at 03:19:38AM +0200, Michal Zalewski wrote:

Oh, haven't said, for clearance... I'm talking about terminfo support and
tgetent() function implemented in libncurses, which is buggy as well,
while ncurses allows '../' tricks.


Do you have any more information about this problem? As far as I can remember,
ncurses doesn't do much parsing with a terminfo file, so there's little
harm that can be done here. Or do you have a demonstrable exploit?

Olaf

--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.

Current thread:

Re: Stupid bug in W3-msql, (continued)
- - - Re: Stupid bug in W3-msql David J. Hughes (Aug 19)
    - Httpd Logging Methods v0rt (Aug 23)
- Re: Internet Auditing Project David Luyer (Aug 15)
  - Re: Internet Auditing Project Peter J. Holzer (Aug 17)
  - [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Bill Nottingham (Aug 17)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
    - [RHSA-1999:029-01] Denial of service attack in in.telnetd Bill Nottingham (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 19)
    - Insecure use of file in /tmp by trn Martin Schulze (Aug 19)
    - Winamp SHOUTcast server: Gain Administrator Password Michael (Aug 20)
    - Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 21)
    - IE 5.0 allows executing programs Georgi Guninski (Aug 21)
    - Re: IE 5.0 allows executing programs David LeBlanc (Aug 23)
    - Re: IE 5.0 allows executing programs Jesper M. Johansson (Aug 28)
    - Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 21)
    - Re: Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 24)
    - Re: Vulnerability in Solaris 2.6. rpc.statd ? mb (Aug 28)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)

(Thread continues...)