From owner-freebsd-bugs  Tue Apr  7 11:40:07 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA11844
          for freebsd-bugs-outgoing; Tue, 7 Apr 1998 11:40:07 -0700 (PDT)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA11822;
          Tue, 7 Apr 1998 11:40:05 -0700 (PDT)
          (envelope-from gnats)
Received: (from nobody@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA11677;
          Tue, 7 Apr 1998 11:39:20 -0700 (PDT)
          (envelope-from nobody)
Message-Id: <199804071839.LAA11677@hub.freebsd.org>
Date: Tue, 7 Apr 1998 11:39:20 -0700 (PDT)
From: jcwells@u.washington.edu
To: freebsd-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: www-1.0
Subject: bin/6241: getty accepts inputs that it should not
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         6241
>Category:       bin
>Synopsis:       getty accepts inputs that it should not
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr  7 11:40:04 PDT 1998
>Last-Modified:
>Originator:     Jason Wells
>Organization:
na
>Release:        2.2.2-RELEASE
>Environment:
FreeBSD s8-37-26.student.washington.edu 2.2.2-RELEASE FreeBSD 2.2.2-RELEASE #0: Sat Mar 21 21:23:27 PST 1998     jason@s8-37-26.student.washington.edu:/usr/src/sys/compile/BRONCO  i386
>Description:
When at the 'login:' prompt on the console I was able to backspace over the prompt, use the arrow key to move the cursor around the screen.	
>How-To-Repeat:
Login on the console
Logout
At the new 'login:' prompt hit f12
now backspace and use arrow keys to move the cursor around
>Fix:
I dunno. The problem seems minor. It was a fluke that I found it at all. If getty is still secure, then this probably no big deal. If this impacts getty's security. then it is a pretty big deal. In my non-expert way, I must ask if a clever person can device a series of keystrokes that getty should not accept (but does) that can return a shell?
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message