Concerning possible bugs in the 'inn' package

Russ Allbery rra at
Sun Oct 9 05:05:12 UTC 2005

Ben Schwarz <bschwarz at EECS.berkeley.EDU> writes:

> The specific type of bug which we have found stems from the standard
> file descriptors (FDs) on a Unix system. Typically, when a process is
> started, FD 0, 1 and 2 are set to standard in, standard out, and
> standard error respectively. Subsequent uses of input and output
> functions--such as printf--will read or write from one of these three
> descriptors. Customarily, a program starts with its standard file
> descriptors opened to terminal devices. However, since the kernel does
> not enforce this convention, an attacker can force a standard file
> descriptor of a victim program to be opened to a sensitive file, so that
> he may discover confidential information from the sensitive file or
> modify the sensitive file.


> Programs with bugs:
> rnews, rnews.c line 725

I've modified rnews to burn three file descriptors on startup if it's
running with privileges.

Russ Allbery (rra at             <>

More information about the inn-bugs mailing list