![]() |
|
Message-ID: <CAJ_zFk+7hJZWXHT3ufnR7FtJ0ybtts3VbUZmKhFHaMUPiX0JTw@mail.gmail.com> Date: Wed, 12 Dec 2018 11:59:12 -0800 From: Tavis Ormandy <taviso@...gle.com> To: oss-security@...ts.openwall.com Subject: Re: Multiple telnet.c overflows On Wed, Dec 12, 2018 at 11:15 AM Bob Friesenhahn <bfriesen@...ple.dallas.tx.us> wrote: > > On Wed, 12 Dec 2018, Tavis Ormandy wrote: > > > It's not that environment handling is a non-issue, I've reported > > dozens over the years, it's just that it requires a privilege > > boundary. For example, setuid binaries are the classic example. > > Is a network connection between two machines not a 'privilege > boundary'? If the remote machine has the ability to subvert the > accessing machine (e.g. by transmitting something which causes harm to > the client) then that seems to qualify. That would certainly qualify, but the attack your describing does not seem relevant to this bug, no? Tavis.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.