Subject: Re: Buffer overrun patches
To: Michael Graff <email@example.com>
From: David Holland <firstname.lastname@example.org>
Date: 09/07/1996 17:31:35
> > - telnetd: block the ENV variable from being transferred, as in some
> > circumstances this may lead to unexpected execution of commands.
> > (ENV points bash and other shells at command text to execute.)
> I have applied this but not committed it. Any objections?
Better block BASH_ENV too (gnu featurism...)
For Linux I went over to explicitly allowing only a certain small
number of variables through. This was because we discovered a bunch of
neato variables you could set in libc to do stuff like change the NIS
You may want to do this too, although it's probably not as necessary.
- David A. Holland | Number of words in the English language that
email@example.com | exist because of typos or misreadings: 381