gabriel rosenkoetter wrote:
> On Wed, Nov 22, 2006 at 10:15:04AM -0600, Jeremy C. Reed wrote:
>> Forwarded mail from bugtraq below.
>>
>> In our case it is our second banner (/usr/games/banner).
>>
>> I just committed fix to improve its check for valid -w width.
>>
>> By the way, I don't know of anyone making this setuid nor using this via 
>> some public gateway.
> 
> I was going to say: "Somehow, I'm not exactly ph34ring over a binary
> we install with mode 0444..."
> 
> Even if used via a public gateway, surely the biggest conern is a
> DoS?

no.

the concern differs. basically, if you combine what you want to
prevent, or control, and the impact of the bug in question and what can
be achieved when successfully exploiting it, you get your answer if it's
a concern or not.

let's say this one allows you to execute arbitrary code in the address
space of the 'banner' program. on a multi-user box, that's harmless
because it doesn't buy you anything (since you're already logged on to
run it). but on a system that forces integrity verification on all the
programs it runs it may open a door to introducing 'untrusted' code to
a 'trusted' process address space -- very loose usage of 'trust' in
this context, of course.

(of course, this is all very simplistic, and you first have to make sure
your arbitrary code is in fact mapped executable, etc. etc., but you get
the point: the security impact of a software bug depends on the
environment in which it is exploited.)

-e.

-- 
Elad Efrat