[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Dec 2018 13:10:24 -0600 (CST)
From: Bob Friesenhahn <bfriesen@...ple.dallas.tx.us>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple telnet.c overflows
On Wed, 12 Dec 2018, Tavis Ormandy wrote:
> It's not that environment handling is a non-issue, I've reported
> dozens over the years, it's just that it requires a privilege
> boundary. For example, setuid binaries are the classic example.
Is a network connection between two machines not a 'privilege
boundary'? If the remote machine has the ability to subvert the
accessing machine (e.g. by transmitting something which causes harm to
the client) then that seems to qualify.
Bob
--
Bob Friesenhahn
bfriesen@...ple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
