BugTraq summary, week of 19 oct 1998.

browser bugs
There are a bunch of them, so let's just put them in one big category here.

If you connect to a site using its 32-bit IP (f.e.: http://3475932041/ is the Microsoft web site), IE will assume the site is in your "local intranet" zone, and use the "local intranet" security rules.
IE will crash if it receives an <IMG> tag with width set to "000..." (lots of zeroes).
Netscape 4.x will crash if you attempt to download a specially-made evil plugin which will overflow your mime-type settings.
In Netscape 4.5, if you disable Javascript, when you exit and restart the browser, it will say that Javascript is disabled, but it will in fact be re-enabled. You have to click "enable", then "disable" again. This will happen every time you exit.

hpux sharedx receiver gets busy
By sending specific amount of characters to HPUX SharedX Receiver Service, remote (and local) users can cause the recserv process to reach about 100%, after which it has to be restarted.

aix fingerd doesn't like long gecos
AIX's chfn will allow you to set your gecos field (your "real name" field) to something really long. Unfortunately if you do that, and someone fingers you remotely, fingerd will crash. Nobody's tried to find out if it's exploitable yet (probably is).

solaris imap server buffer overblow
Sun released a patch for a buffer overflow in their IMAP server, probably the same as the one from the UW IMAP server.

more cde bugs
RedHat is recalling CDE distributions because of the ToolTalk bug (http://ciac.llnl.gov/ciac/bulletins/i-091.shtml) and apparently because they believe there are many other bugs waiting in the wings. They license the binaries from a company called TriTeal and claim that the combination of CDE's bugs and the binary-only distribution don't give them enough flexibility to fix the holes. You can get a refund from RedHat if you bought CDE through them.

dos programs can retreive windows password
In Windows 3.x/95/98, a DOS program can call int 2f, ax=0x1184, and retreive your WFW password.

mutt will give you mail access
Mutt is some kind of mail utility. If you run it with the TERM environment variable set really long, it'll have a buffer overflow and you can run things as group "mail" (bad for sendmail systems).

irix/aix autofsd has mysterious exploit
SGI is telling Irix users to turn off autofsd because outsiders can gain root through it. autofsd lets you export automounted directories over NFS. SGI didn't give any details about what the problem is. IBM later reported an almost identical vulnerability in their automountd. Hmmm.

hpux logging
HPUX 11.0B (64-bit) doesn't log su failures.

openbsd sometimes won't drop root privileges
Recent versions of OpenBSD attempt to implement setreuid/setregid as library calls, and therefore when running as root, a program can't use these calls to relinquish root privileges. Some programs don't check the return value from setreuid/setregid and so they will assume they've dropped root privs when they haven't. This is considered a bug in OpenBSD since setreuid is a common way to drop root privs, and shouldn't fail.