Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Dec 2018 11:59:12 -0800
From: Tavis Ormandy <taviso@...gle.com>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple telnet.c overflows

On Wed, Dec 12, 2018 at 11:15 AM Bob Friesenhahn
<bfriesen@...ple.dallas.tx.us> wrote:
>
> On Wed, 12 Dec 2018, Tavis Ormandy wrote:
>
> > It's not that environment handling is a non-issue, I've reported
> > dozens over the years, it's just that it requires a privilege
> > boundary. For example, setuid binaries are the classic example.
>
> Is a network connection between two machines not a 'privilege
> boundary'?  If the remote machine has the ability to subvert the
> accessing machine (e.g. by transmitting something which causes harm to
> the client) then that seems to qualify.

That would certainly qualify, but the attack your describing does not
seem relevant to this bug, no?

Tavis.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.