Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_3

Bugtraq archives for 3rd quarter (Jul-Sep) 1998: Re: ncurses 4.1 security bug

Re: ncurses 4.1 security bug

Geoffrey KEATING (geoffkDISCUS.ANU.EDU.AU)
Tue, 14 Jul 1998 18:34:46 +1000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jon Torrez: "Re: Slackware Shadow Insecurity"
Previous message: Liviu Daia: "Re: Slackware Shadow Insecurity"
In reply to: Ben Laurie: "Re: ncurses 4.1 security bug"
Next in thread: Ben Laurie: "Re: ncurses 4.1 security bug"

> In C++ _you cant_
>
> C++ global object constructors are called in pretty much arbitary
> order before
> main() is entererd.
>
> Its an interesting reason not to write setuid apps in C++ 8)

Note that with ELF shared libraries, it is possible to have a shared
library (written in C, C++, or any other language) that also has
constructors that get executed before any code from the executable
(possibly apart from crt0) gets run.  So you can upgrade a
harmless-looking library and make your system insecure because it was
used by a setuid executable...

--
Geoff Keating <Geoff.Keatinganu.edu.au>

Next message: Jon Torrez: "Re: Slackware Shadow Insecurity"
Previous message: Liviu Daia: "Re: Slackware Shadow Insecurity"
In reply to: Ben Laurie: "Re: ncurses 4.1 security bug"
Next in thread: Ben Laurie: "Re: ncurses 4.1 security bug"