Bugtraq mailing list archives
Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()
From: lcamtuf () IDS PL (Michal Zalewski)
Date: Sun, 4 Jul 1999 06:38:57 +0200
On Thu, 19 Aug 1999, Tymm Twillman wrote:
And as Chris Evans pointed out on linux-security, libncurses on RedHat is built with -DPURE_TERMINFO, which keeps it from using the buggy buffer code in libtermcap.
...not quite true - we're able to cause at least several SEGVs in ncurses' tgetent() function by putting junk into terminfo files. Simply, try some brute-force algorithms. I don't want to discuss about possible consequences of this bug, as we haven't checked carefully terminfo format, nor parser code. _______________________________________________________________________ Michal Zalewski [lcamtuf () ids pl] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
Current thread:
- Re: Internet Auditing Project, (continued)
- Re: Internet Auditing Project Viljo Hakala (Aug 17)
- Stupid bug in W3-msql gregory duchemin (Aug 17)
- Re: Stupid bug in W3-msql David J. Hughes (Aug 19)
- Httpd Logging Methods v0rt (Aug 23)
- Re: Internet Auditing Project David Luyer (Aug 15)
- Re: Internet Auditing Project Peter J. Holzer (Aug 17)
- [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Bill Nottingham (Aug 17)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
- [RHSA-1999:029-01] Denial of service attack in in.telnetd Bill Nottingham (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 19)
- Insecure use of file in /tmp by trn Martin Schulze (Aug 19)
- Winamp SHOUTcast server: Gain Administrator Password Michael (Aug 20)
- Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 21)
- IE 5.0 allows executing programs Georgi Guninski (Aug 21)
- Re: IE 5.0 allows executing programs David LeBlanc (Aug 23)
- Re: IE 5.0 allows executing programs Jesper M. Johansson (Aug 28)
- Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 21)
- Re: Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 24)