| Topic: |
Buffer overflows in MIT Kerberos 5 telnet client |
|
|
| Version: |
NetBSD-current: source prior to April 1, 2005
NetBSD 2.1: not affected
NetBSD 2.0.3: not affected
NetBSD 2.0.2: affected
NetBSD 2.0: affected
NetBSD 1.6.2: affected
NetBSD 1.6.1: affected
NetBSD 1.6: affected |
| Severity: |
Remote code execution if connected to malicious server |
| Fixed: |
NetBSD-current: April 1, 2005
NetBSD-3 branch: April 8, 2005 (3.0 will include the fix)
NetBSD-2.0 branch: April 8, 2005 (2.0.3 includes the fix)
NetBSD-2 branch: April 8, 2005 (2.1 includes the fix)
NetBSD-1.6 branch: April 8, 2005 |
Abstract
The telnet client program in NetBSD, supporting MIT Kerberos 5
authentication, contains several buffer overflows that can be triggered
when connecting to a malicious telnet server. When exploited, these
overflows can lead to remote code execution.
Technical Details
The slc_add_reply() and env_opt_add() functions in telnet.c perform
inadequate length checking. slc_add_reply() may overflow a fixed-size
data segment or BSS buffer when receiving a maliciously crafted telnet
LINEMODE suboption string. env_opt_add() may overflow a heap buffer when
receiving a maliciously crafted telnet NEW-ENVIRON suboption string.
Both overflows may lead to arbitrary code execution.
CVE: CAN-2005-0468 and CAN-2005-0469
Solutions and Workarounds
There is no workaround to this problem.
It is recommended that all NetBSD users of affected versions upgrade
their telnet binaries to a non-vulnerable version.
The following instructions describe how to upgrade your telnet
binaries by updating your source tree and rebuilding and
installing a new version of telnet.
* NetBSD-current:
Systems running NetBSD-current dated from before 2005-03-29
should be upgraded to NetBSD-current dated 2005-04-01 or later.
The following files need to be updated from the netbsd-current CVS
branch (aka HEAD):
usr.bin/telnet/telnet.c
To update from CVS, re-build, and re-install telnet:
# cd src
# cvs update -d -P usr.bin/telnet/telnet.c
# cd usr.bin/telnet
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 2.0:
The binary distribution of NetBSD 2.0 is vulnerable.
NetBSD 2.1 includes the fix.
Systems running NetBSD 2.0 sources dated from before
2005-04-08 should be upgraded from NetBSD 2.0 sources dated
2005-04-09 or later.
The following files need to be updated from the
netbsd-2-0 CVS branch:
usr.bin/telnet/telnet.c
To update from CVS, re-build, and re-install telnet:
# cd src
# cvs update -d -P -r netbsd-2-0 usr.bin/telnet/telnet.c
# cd usr.bin/telnet
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 1.6, 1.6.1, 1.6.2:
The binary distributions of NetBSD 1.6, 1.6.1, and 1.6.2 are vulnerable.
Systems running NetBSD 1.6 sources dated from before
2005-04-08 should be upgraded from NetBSD 1.6 sources dated
2005-04-09 or later.
NetBSD 1.6.3 will include the fix.
The following files need to be updated from the
netbsd-1-6 CVS branch:
usr.bin/telnet/telnet.c
To update from CVS, re-build, and re-install telnet:
# cd src
# cvs update -d -P -r netbsd-1-6 usr.bin/telnet/telnet.c
# cd usr.bin/telnet
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
Thanks To
iDEFENSE for researching this vulnerability.
MIT for alerting us about this vulnerability and providing a fix.
Revision History
2005-10-31 Initial release
More Information
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-004.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/
and
http://www.NetBSD.org/Security/ .
Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form. |
Security Advisory 
Postfix - "Krok po kroku" v1.0
sdi.sh
uEagle 1.0p1
