On Mon, 24 Apr 2000, Kris Kennaway wrote:
> On Mon, 24 Apr 2000, Przemyslaw Frasunek wrote:
>
> > - 3.4-STABLE -- vulnerable
> > - 4.0-STABLE -- not tested (probably *not* vulnerable)
>
> -- *not* vulnerable
>
> > - 5.0-CURRENT -- *not* vulnerable
>
> Unfortunately, Mr Frasunek didn't see fit to notifying us before releasing
> his advisory - it will probably be a day or two before this gets
> fixed. Sorry all.
Furthermore, it is not actually a vulnerability. It seems that setuid
programs will not accept an alternate termcap file via TERMCAP even under
the old version of ncurses in FreeBSD 3.x. Therefore this "exploit" can
only be used on your own binaries.
(If we'd have been told beforehand I could have saved Mr Frasunek the
embarrassment ;-)
Kris
----
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <[EMAIL PROTECTED]>
