[1212] in linux-security and linux-alert archive
Re: [linux-security] libc 5.4.7
daemon@ATHENA.MIT.EDU (David Holland)
Sat Oct 12 07:42:21 1996
From: David Holland <dholland@eecs.harvard.edu>
To: panzer@dhp.com (Matt)
Date: Wed, 9 Oct 1996 14:24:58 -0400 (EDT)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <53dtlv$cfq@stronghold.dhp.com> from "Matt" at Oct 8, 96 03:57:51 pm
> David Holland <dholland@eecs.harvard.edu> wrote:
> : I'm working on a fixed version [I've been altogether too busy of late,
> : I'm afraid]. It is reasonably safe to use the 0.07A telnet; just don't
> : use it as part of a restricted shell setup.
>
> : The telnet*D* in 0.07A on the other hand is pretty unsafe.
>
> Or you can get the original telnet/telnetd from cray and apply the
> patches I have available.
>
> ftp://ftp.dhp.com/pub/linux/security/telnet.95.10.23.patch
>
> I've had no problems with this at all....
You may not, but from a cursory inspection it's not safe - your patch
doesn't address anything related to security whatsoever, and the
original source does not appear to block RESOLV_HOST_CONF or any of
the other things libc honors, although it does block LD_*.
The libc upgrade disallows these settings for setuid and setgid
programs; since login is not setuid when run from telnetd, anything
login does that might tickle these variables is a major hazard.
This is doubly true if your login is statically linked against a libc
prior to 5.4.7, or if you haven't updated libc, in which case buffer
overflow games are possible too.
** To repeat: Do NOT use cray telnetd at this point.
--
- David A. Holland | VINO project home page:
dholland@eecs.harvard.edu | http://www.eecs.harvard.edu/vino