I'm NMUing the package to fix this security hole, using the attached patch.
-- see shy jo
diff -ur old/netkit-telnet-ssl-0.17.24+0.1/debian/changelog
netkit-telnet-ssl-0.17.24+0.1/debian/changelog
--- old/netkit-telnet-ssl-0.17.24+0.1/debian/changelog 2005-03-31
11:10:59.000000000 -1000
+++ netkit-telnet-ssl-0.17.24+0.1/debian/changelog 2005-03-31
11:10:42.000000000 -1000
@@ -1,3 +1,13 @@
+netkit-telnet-ssl (0.17.24+0.1-7.1) unstable; urgency=HIGH
+
+ * NMU
+ * telnet/telnet.cc: Fixed buffer overflow in the handling of the
+ LINEMODE suboptions in telnet clients (CAN-2005-0469).
+ Thanks Martin 'Joey' Schulze for the patch.
+ Closes: #302036
+
+ -- Joey Hess <[EMAIL PROTECTED]> Thu, 31 Mar 2005 11:09:56 -1000
+
netkit-telnet-ssl (0.17.24+0.1-7) unstable; urgency=low
* telnetd.postrm: use "test -x" instead of "command -v" (Closes: #293052).
diff -ur old/netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.cc
netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.cc
--- old/netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.cc 2005-03-31
11:10:59.000000000 -1000
+++ netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.cc 2005-03-31
11:09:52.000000000 -1000
@@ -1148,6 +1148,7 @@
unsigned char slc_reply[128];
+unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)];
unsigned char *slc_replyp;
void slc_start_reply(void) {
@@ -1159,6 +1160,14 @@
}
void slc_add_reply(int func, int flags, int value) {
+ /* A sequence of up to 6 bytes my be written for this member of the SLC
+ * suboption list by this function. The end of negotiation command,
+ * which is written by slc_end_reply(), will require 2 additional
+ * bytes. Do not proceed unless there is sufficient space for these
+ * items.
+ */
+ if (&slc_replyp[6+2] > slc_reply_eom)
+ return;
if ((*slc_replyp++ = func) == IAC)
*slc_replyp++ = IAC;
if ((*slc_replyp++ = flags) == IAC)
signature.asc
Description: Digital signature
