I'm NMUing the package to fix this security hole, using the attached patch.
-- see shy jo
diff -ur old/netkit-telnet-ssl-0.17.24+0.1/debian/changelog netkit-telnet-ssl-0.17.24+0.1/debian/changelog --- old/netkit-telnet-ssl-0.17.24+0.1/debian/changelog 2005-03-31 11:10:59.000000000 -1000 +++ netkit-telnet-ssl-0.17.24+0.1/debian/changelog 2005-03-31 11:10:42.000000000 -1000 @@ -1,3 +1,13 @@ +netkit-telnet-ssl (0.17.24+0.1-7.1) unstable; urgency=HIGH + + * NMU + * telnet/telnet.cc: Fixed buffer overflow in the handling of the + LINEMODE suboptions in telnet clients (CAN-2005-0469). + Thanks Martin 'Joey' Schulze for the patch. + Closes: #302036 + + -- Joey Hess <[EMAIL PROTECTED]> Thu, 31 Mar 2005 11:09:56 -1000 + netkit-telnet-ssl (0.17.24+0.1-7) unstable; urgency=low * telnetd.postrm: use "test -x" instead of "command -v" (Closes: #293052). diff -ur old/netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.cc netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.cc --- old/netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.cc 2005-03-31 11:10:59.000000000 -1000 +++ netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.cc 2005-03-31 11:09:52.000000000 -1000 @@ -1148,6 +1148,7 @@ unsigned char slc_reply[128]; +unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)]; unsigned char *slc_replyp; void slc_start_reply(void) { @@ -1159,6 +1160,14 @@ } void slc_add_reply(int func, int flags, int value) { + /* A sequence of up to 6 bytes my be written for this member of the SLC + * suboption list by this function. The end of negotiation command, + * which is written by slc_end_reply(), will require 2 additional + * bytes. Do not proceed unless there is sufficient space for these + * items. + */ + if (&slc_replyp[6+2] > slc_reply_eom) + return; if ((*slc_replyp++ = func) == IAC) *slc_replyp++ = IAC; if ((*slc_replyp++ = flags) == IAC)
signature.asc
Description: Digital signature