-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2005-004 ================================= Topic: Buffer overflows in MIT Kerberos 5 telnet client Version: NetBSD-current: source prior to April 1, 2005 NetBSD 2.1: not affected NetBSD 2.0.3: not affected NetBSD 2.0.2: affected NetBSD 2.0: affected NetBSD 1.6.2: affected NetBSD 1.6.1: affected NetBSD 1.6: affected Severity: Remote code execution if connected to malicious server Fixed: NetBSD-current: April 1, 2005 NetBSD-3 branch: April 8, 2005 (3.0 will include the fix) NetBSD-2.0 branch: April 8, 2005 (2.0.3 includes the fix) NetBSD-2 branch: April 8, 2005 (2.1 includes the fix) NetBSD-1.6 branch: April 8, 2005 Abstract ======== The telnet client program in NetBSD, supporting MIT Kerberos 5 authentication, contains several buffer overflows that can be triggered when connecting to a malicious telnet server. When exploited, these overflows can lead to remote code execution. Technical Details ================= The slc_add_reply() and env_opt_add() functions in telnet.c perform inadequate length checking. slc_add_reply() may overflow a fixed-size data segment or BSS buffer when receiving a maliciously crafted telnet LINEMODE suboption string. env_opt_add() may overflow a heap buffer when receiving a maliciously crafted telnet NEW-ENVIRON suboption string. Both overflows may lead to arbitrary code execution. CVE: CAN-2005-0468 and CAN-2005-0469 Solutions and Workarounds ========================= There is no workaround to this problem. It is recommended that all NetBSD users of affected versions upgrade their telnet binaries to a non-vulnerable version. The following instructions describe how to upgrade your telnet binaries by updating your source tree and rebuilding and installing a new version of telnet. * NetBSD-current: Systems running NetBSD-current dated from before 2005-03-29 should be upgraded to NetBSD-current dated 2005-04-01 or later. The following files need to be updated from the netbsd-current CVS branch (aka HEAD): usr.bin/telnet/telnet.c To update from CVS, re-build, and re-install telnet: # cd src # cvs update -d -P usr.bin/telnet/telnet.c # cd usr.bin/telnet # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 2.0: The binary distribution of NetBSD 2.0 is vulnerable. NetBSD 2.1 includes the fix. Systems running NetBSD 2.0 sources dated from before 2005-04-08 should be upgraded from NetBSD 2.0 sources dated 2005-04-09 or later. The following files need to be updated from the netbsd-2-0 CVS branch: usr.bin/telnet/telnet.c To update from CVS, re-build, and re-install telnet: # cd src # cvs update -d -P -r netbsd-2-0 usr.bin/telnet/telnet.c # cd usr.bin/telnet # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 1.6, 1.6.1, 1.6.2: The binary distributions of NetBSD 1.6, 1.6.1, and 1.6.2 are vulnerable. Systems running NetBSD 1.6 sources dated from before 2005-04-08 should be upgraded from NetBSD 1.6 sources dated 2005-04-09 or later. NetBSD 1.6.3 will include the fix. The following files need to be updated from the netbsd-1-6 CVS branch: usr.bin/telnet/telnet.c To update from CVS, re-build, and re-install telnet: # cd src # cvs update -d -P -r netbsd-1-6 usr.bin/telnet/telnet.c # cd usr.bin/telnet # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= iDEFENSE for researching this vulnerability. MIT for alerting us about this vulnerability and providing a fix. Revision History ================ 2005-10-31 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-004.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2005-004.txt,v 1.13 2005/10/31 06:36:35 gendalia Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (NetBSD) iQCVAwUBQ2fKUz5Ru2/4N2IFAQLEjQP+K/9/7qknJL6CXC0Y475wpLGzRfdQFZgn 7LX/2AfkvjWf/S4lNCJwjPFp5t2OT4b92ejAvoHTjsuBVAZXMubxk2+WPETykG6p 1UW9IujiLa/MTEYm8xTukmKA2RL+2E7Jf2n5dR0g9BM/+UZHprKgTV19SCAXzS6n 874WryZNtxE= =iXJ4 -----END PGP SIGNATURE-----