Subject: Re: Buffer overrun patches
To: Michael Graff <>
From: David Holland <>
List: tech-userlevel
Date: 09/07/1996 17:31:35
 > >  - telnetd: block the ENV variable from being transferred, as in some
 > >      circumstances this may lead to unexpected execution of commands.
 > >      (ENV points bash and other shells at command text to execute.)
 > I have applied this but not committed it.  Any objections?

Better block BASH_ENV too (gnu featurism...)

For Linux I went over to explicitly allowing only a certain small
number of variables through. This was because we discovered a bunch of
neato variables you could set in libc to do stuff like change the NIS
domain. <sigh>

You may want to do this too, although it's probably not as necessary.

   - David A. Holland          | Number of words in the English language that  | exist because of typos or misreadings: 381