Re: ncurses 4.1 security bug

peakkerberos.troja.mff.cuni.cz

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Tiago Luz Pinto: "Re: ePerl: bad handling of ISINDEX queries"
• Previous message: Solar Designer: "Re: Forwared to me"
• In reply to: Casper Dik: "Re: ncurses 4.1 security bug"
• Next in thread: Ben Laurie: "Re: ncurses 4.1 security bug"

On Thu, 9 Jul 1998, Casper Dik wrote:

> >ncurses version 4.1 fails to drop priviledges before opening the
> >termcap database and you can set any file(s) you like. I am not sure
> >any setuid program allows an exploit but this is not good in any case.
> >Here is a patch that stops that game. (Using the patch requires
> >autoconf because I have not supplied diffs against the configure
> >script).
>
> It seems to me that the below fix is broken; what happens if:
[...]
> Juggling with uids in the library is hard; you don't know what the
> original uids were and you really have no way to find out.

Oh my God, just another "confused deputy" (see [1])!

The library has got a filename (or a part of it). It has no reliable way
to figure out the credentials of a user who provided the filename. Even if
it had them, it would have no guarantee about being able to use them.

Moreover, there is no guarantee regarding the integrity the file, any
data read from it are "tainted". All code of the library dealing with
these data must be absolutely free of vulnerabilities.

There should be a law abolishing complex set*id programs.


--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"You can't be truly paranoid unless you're sure they have already got you."

[1] Hardy, N., "The Confused Deputy",
    http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html

• Next message: Tiago Luz Pinto: "Re: ePerl: bad handling of ISINDEX queries"
• Previous message: Solar Designer: "Re: Forwared to me"
• In reply to: Casper Dik: "Re: ncurses 4.1 security bug"
• Next in thread: Ben Laurie: "Re: ncurses 4.1 security bug"