Bugtraq mailing list archives
Re: ncurses 4.1 security bug
From: alan () LXORGUK UKUU ORG UK (Alan Cox)
Date: Wed, 8 Jul 1998 15:53:27 +0100
SUID programs should drop privs almost immediately. The number of possible places such issues can lurk is semi-infinite. You'll never get all of them. You *can*, however, drop privs almost instantly.
Almost is often the killer. On the rest of the issues Im sure you are preaching to the choir right now
1. The libraries will use message catalogs and may open them before you doIn NetBSD, the message catalogs we use don't work that way, so I suppose I'm not familiar with this issue.
Does libc load message databases of your choice - like say /dev/tape ? The problems are those of dropping privliedges early enough. As to the bug list thats real apps that need fixing - and should be fixed regardless of whether people bandaid ncurses.
2. If you are using C++ your constructors can't call libc in this case as the order of constructors isnt defined??? Why not just drop privs at the beginning as you are supposed to?
In C++ _you cant_ C++ global object constructors are called in pretty much arbitary order before main() is entererd. Its an interesting reason not to write setuid apps in C++ 8)
Current thread:
- ncurses 4.1 security bug Duncan Simpson (Jul 07)
- Re: ncurses 4.1 security bug Perry E. Metzger (Jul 07)
- Re: ncurses 4.1 security bug Alan Cox (Jul 08)
- Re: ncurses 4.1 security bug Perry E. Metzger (Jul 08)
- Re: ncurses 4.1 security bug Alan Cox (Jul 08)
- Re: ncurses 4.1 security bug Warner Losh (Jul 09)
- Re: ncurses 4.1 security bug David Schwartz (Jul 09)
- Re: ncurses 4.1 security bug matthew green (Jul 10)
- Re: ncurses 4.1 security bug Theo de Raadt (Jul 10)
- Re: ncurses 4.1 security bug Wietse Venema (Jul 12)
- Seattle Lab fixes security issue in SLmail Aleph One (Jul 12)
- Re: ncurses 4.1 security bug Alan Cox (Jul 08)
- Re: ncurses 4.1 security bug Perry E. Metzger (Jul 07)
- Re: ncurses 4.1 security bug David Schwartz (Jul 09)
- sshd gives out version number Tom Dyas (Jul 09)
- Re: Forwared to me Solar Designer (Jul 09)