As far as I can tell, this is a matter of shell metacharacters, not of
buffer overflows (just the first 2 lines of chargen output suffice...).
Basically, I believe the problem is not dangerous: The shell runs with
the permissions of the user calling "write", not with root permissions,
and it is executed on the local host, not the host the write is targeted
at.
However
* don't trust "write" in restricted user environments (e.g. for operator
messages), they might not be as restricted as you want them to be
* don't make "write" suid (or use it in suid code), or your system is
wide open...
P.S.:
I think this is not related to the "writesrv" bug described in IX69168
(a buffer-overflow-based root exploit in "writesrv", the daemon for
handling "write" requests).
DI. Dr. Klaus Kusche
Oberoesterreichische Landesregierung / Government of Upper Austria
Rechenzentrum / Computing Centre
Smail: Kaerntnerstrasse 16, A-4020 Linz, Austria (Europe)
Phone: +43 732 7720 - 3394 Fax: +43 732 7720 - 3198
Email: Klaus.Kusche@ooe.gv.at