Bugtraq: Re: ncurses 4.1 security bug

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: ncurses 4.1 security bug

From: geoffk () DISCUS ANU EDU AU (Geoffrey KEATING)
Date: Tue, 14 Jul 1998 18:34:46 +1000

In C++ _you cant_

C++ global object constructors are called in pretty much arbitary
order before
main() is entererd.

Its an interesting reason not to write setuid apps in C++ 8)


Note that with ELF shared libraries, it is possible to have a shared
library (written in C, C++, or any other language) that also has
constructors that get executed before any code from the executable
(possibly apart from crt0) gets run.  So you can upgrade a
harmless-looking library and make your system insecure because it was
used by a setuid executable...

--
Geoff Keating <Geoff.Keating () anu edu au>

By Date By Thread

Current thread:

Re: ncurses 4.1 security bug, (continued)
- Re: ncurses 4.1 security bug Ben Laurie (Jul 11)
  - Re: ncurses 4.1 security bug David Schwartz (Jul 11)
  - Re: ncurses 4.1 security bug Geoffrey KEATING (Jul 14)
- Re: ncurses 4.1 security bug Ben Laurie (Jul 11)
  - Re: ncurses 4.1 security bug David Schwartz (Jul 11)
- Re: ncurses 4.1 security bug Ben Laurie (Jul 12)