Re: SNI-20: Telnetd tgetent vulnerability

Aleph One (aleph1@DFW.NET)
Wed, 22 Oct 1997 16:10:49 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: X-Force: "ISS Security Alert"
Previous message: Christopher M. Conway: "Re: Majordomo and EXPN"
Maybe in reply to: Secure Networks Inc.: "SNI-20: Telnetd tgetent vulnerability"

---------- Forwarded message ----------
Date: Wed, 22 Oct 1997 13:37:22 -0400 (EDT)
From: David Holland <dholland@eecs.harvard.edu>
To: linux-security@redhat.com
Subject: [linux-security] Re: SNI-20: Telnetd tgetent vulnerability

> [mod: Executive summary: SNI found recent linux-distributions
> not-vulnerable -- REW]

Well, it looks a little more complicated than that. If your telnetd is
linked against GNU termcap (as opposed to ncurses), it seems that
there *is* a vulnerability; it looks like GNU termcap doesn't check
for overflow of the initial name portion of the terminal type.

ncurses doesn't touch the buffer in question at all.

-- - David A. Holland | VINO project home page: dholland@eecs.harvard.edu | http://www.eecs.harvard.edu/vino

-- ---------------------------------------------------------------------- Please refere to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. ----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null

Next message: X-Force: "ISS Security Alert"
Previous message: Christopher M. Conway: "Re: Majordomo and EXPN"
Maybe in reply to: Secure Networks Inc.: "SNI-20: Telnetd tgetent vulnerability"