Re: ncurses 4.1 security bug

mrgETERNA.COM.AU

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: David Schwartz: "Re: ncurses 4.1 security bug"
• Previous message: Tom Dyas: "sshd gives out version number"
• In reply to: Alan Cox: "Re: ncurses 4.1 security bug"
• Next in thread: Theo de Raadt: "Re: ncurses 4.1 security bug"

   > > 1.  The libraries will use message catalogs and may open them before
   > >     you do
   >
   > In NetBSD, the message catalogs we use don't work that way, so I
   > suppose I'm not familiar with this issue.

   Does libc load message databases of your choice - like say /dev/tape ? The
   problems are those of dropping privliedges early enough. As to the bug list
   thats real apps that need fixing - and should be fixed regardless of whether
   people bandaid ncurses.


how do you fix this?  how does a _library_ know this?  openbsd has defined an
issetugid() syscall (or something) that libraries could use to ignore the
things like $TAPE and $TERMCAP, etc., but that isn't correct.  how does it
know what the real userid _really_ is, to perform the necessary checks on
whether a file will be used or not -- or do you simple say that priviledged
programs don't get this functionality?


i also don't see how the linux setfsuid() really helps here, either.


i've had fixing this in problem in my TODO liist for over 2 years but
without a total solution i've left it as is for now.  these are the
variables listed that NetBSD uses that i've determined are affected:

        - TZ
        - TERMCAP
        - HOSTALIASES

• Next message: David Schwartz: "Re: ncurses 4.1 security bug"
• Previous message: Tom Dyas: "sshd gives out version number"
• In reply to: Alan Cox: "Re: ncurses 4.1 security bug"
• Next in thread: Theo de Raadt: "Re: ncurses 4.1 security bug"