Bugtraq mailing list archives

Re: freebsd libncurses overflow

From: billf () CHC-CHIMES COM (Bill Fumerola)
Date: Mon, 24 Apr 2000 15:13:15 -0400


On Mon, Apr 24, 2000 at 02:33:13PM +0200, Przemyslaw Frasunek wrote:

 * Vulnerable Versions

      - 3.4-STABLE  -- vulnerable
      - 4.0-STABLE  -- not tested (probably *not* vulnerable)
      - 5.0-CURRENT -- *not* vulnerable


Isn't this an ncurses problem and not a FreeBSD problem? If later versions of FreeBSD
aren't vulnerable, its probably only because they have a more recent version of ncurses.
Wouldn't it be more proper to mention the version of _ncurses_ with this problem?

The code is simply imported from:

revision 1.1.1.1
date: 1999/08/24 01:06:35;  author: peter;  state: Exp;  lines: +0 -0
Import unmodified (but trimmed) ncurses 5.0 prerelease 990821.
This contains the full eti (panel, form, menu) extensions.
bmake glue to follow.

Obtained from:  ftp://ftp.clark.net/pub/dickey/ncurses

--
Bill Fumerola - Network Architect
Computer Horizons Corp - CVM
e-mail: billf () chc-chimes com / billf () FreeBSD org
Office: 800-252-2421 x128 / Cell: 248-761-7272

PS. Not speaking on behalf of FreeBSD.

Current thread:

IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy) Georgi Guninski (Apr 18)
- RFP2K03: Contemplations on dvwssr.dll and its affects on life rain forest puppy (Apr 20)
- Microsoft Security Bulletin (MS00-026) Microsoft Product Security (Apr 20)
- Re: IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy) TAKAGI, Hiromitsu (Apr 20)
  - freebsd libncurses overflow Przemyslaw Frasunek (Apr 24)
    - Re: freebsd libncurses overflow Kris Kennaway (Apr 24)
    - Re: freebsd libncurses overflow Kris Kennaway (Apr 24)
    - Re: freebsd libncurses overflow Przemyslaw Frasunek (Apr 25)
    - Re: freebsd libncurses overflow Bill Fumerola (Apr 24)
    - Re: freebsd libncurses overflow Theo de Raadt (Apr 26)
    - Denial of Service Against pcAnywhere. Vacuum (Apr 25)
  - Re: IE 5 security vulnerablity - circumventing Cross-framesecurity policy using Java/JavaScript (and disabling ActiveScripting is not that easy) Georgi Guninski (Apr 24)
  - Hotmail security hole - injecting JavaScript in IE using "@import url(http://host/hostile.css)" Georgi Guninski (Apr 24)
- ZoneAlarm Wally Whacker (Apr 20)
  - Re: ZoneAlarm Gary Buckmaster (Apr 22)
  - CVS DoS Michal Szymanski (Apr 23)
    - Re: CVS DoS Kris Kennaway (Apr 24)
    - Re: CVS DoS Kris Kennaway (Apr 24)
    - finding Meeting Maker passwords using tcpdump mhpower () MIT EDU (Apr 24)

(Thread continues...)