From owner-freebsd-security  Thu Sep 10 14:59:34 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA07908
          for freebsd-security-outgoing; Thu, 10 Sep 1998 14:59:34 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from puck.nether.net (puck.nether.net [204.42.254.5])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA07897
          for <security@FreeBSD.ORG>; Thu, 10 Sep 1998 14:59:32 -0700 (PDT)
          (envelope-from jared@puck.nether.net)
Received: (from jared@localhost) by puck.nether.net (8.9.0/8.7.3) id RAA12666; Thu, 10 Sep 1998 17:34:19 -0400
Message-ID: <19980910173419.G12040@puck.nether.net>
Date: Thu, 10 Sep 1998 17:34:19 -0400
From: Jared Mauch <jared@puck.nether.net>
To: Aleph One <aleph1@dfw.net>
Cc: "Jordan K. Hubbard" <jkh@time.cdrom.com>,
        Michael Richards <026809r@dragon.acadiau.ca>, security@FreeBSD.ORG
Subject: Re: cat exploit
References: <19980910171918.E12040@puck.nether.net> <Pine.SUN.4.01.9809101620060.13293-100000@dfw.nationwide.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <Pine.SUN.4.01.9809101620060.13293-100000@dfw.nationwide.net>; from Aleph One on Thu, Sep 10, 1998 at 04:22:30PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Sep 10, 1998 at 04:22:30PM -0500, Aleph One wrote:
> On Thu, 10 Sep 1998, Jared Mauch wrote:
> 
> > > Whoa! If you dont know the contents of a file dont read it. If you dont
> > > read a file you dont know its contents. Thats some really useful
> > > suggestion.
> > 
> > 	Silly rabbit, tricks are for kids.
> > 	
> > 	What you really need to do is using a modern file(1), or
> > more specifically file with a modern magic(5) file, you can determine
> > the best way to view it.
> 
> Are you going to really use file(1) on every README file you find to try
> to determine if its dangerous? Will all your  users to the same? What we
> need to fix is silly programs like xterm that process dangerous escape
> characters. 

	How are you going to do your terminal emulation then?

	if you always use cat -v, that will escape them.

	what's the problem?

	echo alias cat cat -v >> ~/.profile
	echo alias cat cat -v >> ~/.cshrc

	etc..

	- jared

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message