[962] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-alert] Linux NetKit-B update.

daemon@ATHENA.MIT.EDU (David Holland)
Thu Jul 25 17:12:28 1996

From: David Holland <dholland@hcs.harvard.edu>
To: linux-alert@tarsier.cv.nrao.edu, bugtraq@crimelab.com
Date: Wed, 24 Jul 1996 01:41:12 -0400 (EDT)
Reply-To: linux-security@tarsier.cv.nrao.edu

Linux NetKit-B-0.07 has been released (check comp.os.linux.announce
for details).

This fixes the following security problems/hazards:

1. Possible overrun copying DNS results into a buffer on the stack in
fingerd while processing the linux-specific -w ("welcome banner")
option. Patch: convert sprintf to snprintf.

2. Possible overrun copying DNS results into a buffer on the stack in
talkd. This affected FreeBSD, NetBSD, and OpenBSD as well; all have
integrated a fix into the current development tree. It may affect
vendors... Patch: convert sprintf to snprintf in announce.c.

3. Possible overrun copying $TERM into a buffer on the stack in
rlogin. This affects lots of platforms, but has been mentioned here
before I think. Patch: use snprintf or strncpy.

4. Suspicious (but not necessarily exploitable) handling of buffers on
the stack in rshd. Patch: convert sprintf to snprintf.

5. rsh didn't drop root before execing rlogin. This is not a big deal
except in conjunction with (3) -- chmod -s on rlogin is *not*
sufficient. 

6. Buffer overflow in ping mentioned yesterday, but it's not on the
stack and consequently probably not exploitable. Patch: use snprintf.

7. Integrated a fix for the telnetd environment bug (old news, but it
hadn't got into the standard linux sources yet.)

Also, there was a bug in sliplogin where it did "setuid(0); system()"
without clearing the environment. A fixed version has been available
for Linux and FreeBSD for some time, but the news had not reached
NetBSD until last week. Vendor versions could be vulnerable.

-- 
   - David A. Holland          | Number of words in the English language that
     dholland@hcs.harvard.edu  | exist because of typos or misreadings: 381

home help back first fref pref prev next nref lref last post