Package: heimdal Severity: grave Tags: security patch Heimdal contains a remotely exploitable buffer overflow in the getterminaltype() function. This has been fixed in the new upstream versions 0.6.5 and 0.7.0. URL: http://www.pdc.kth.se/heimdal/advisory/2005-06-20/
I've extracted the security relevant fix from the 0.6.4->0.6.5 patch. If you are planning more extensive changes for packaging 0.7 it might be a good idea to release a fixed package for the 0.6 branch before that. Cheers, Moritz -- System Information: Debian Release: 3.0 Architecture: i386 Kernel: Linux anton 2.4.30-univention.2 #1 SMP Thu May 12 13:53:52 CEST 2005 i686 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED]
diff -Naur heimdal-0.6.3.orig/debian/patches/033_getterminaltype_overflow heimdal-0.6.3/debian/patches/033_getterminaltype_overflow --- heimdal-0.6.3.orig/debian/patches/033_getterminaltype_overflow Thu Jan 1 01:00:00 1970 +++ heimdal-0.6.3/debian/patches/033_getterminaltype_overflow Mon Jun 20 12:49:40 2005 @@ -0,0 +1,81 @@ +--- heimdal-0.6.4/appl/telnet/telnetd/ext.h Mon Apr 18 22:53:17 2005 ++++ heimdal-0.6.3/appl/telnet/telnetd/ext.h Tue Jun 14 16:27:23 2005 +@@ -57,7 +57,7 @@ + + extern slcfun slctab[NSLC + 1]; /* slc mapping table */ + +-extern char *terminaltype; ++extern char terminaltype[41]; + + /* + * I/O data buffers, pointers, and counters. +diff -Naur heimdal-0.6.4/appl/telnet/telnetd/global.c heimdal-0.6.5/appl/telnet/telnetd/global.c +--- heimdal-0.6.4/appl/telnet/telnetd/global.c Mon Apr 18 22:53:17 2005 ++++ heimdal-0.6.3/appl/telnet/telnetd/global.c Tue Jun 14 16:27:23 2005 +@@ -54,7 +54,7 @@ + + slcfun slctab[NSLC + 1]; /* slc mapping table */ + +-char *terminaltype; ++char terminaltype[41]; + + /* + * I/O data buffers, pointers, and counters. +diff -Naur heimdal-0.6.4/appl/telnet/telnetd/state.c heimdal-0.6.5/appl/telnet/telnetd/state.c +--- heimdal-0.6.4/appl/telnet/telnetd/state.c Mon Apr 18 22:53:17 2005 ++++ heimdal-0.6.3/appl/telnet/telnetd/state.c Tue Jun 14 16:27:23 2005 +@@ -939,7 +939,7 @@ + } /* end of case TELOPT_TSPEED */ + + case TELOPT_TTYPE: { /* Yaaaay! */ +- static char terminalname[41]; ++ char *p; + + if (his_state_is_wont(TELOPT_TTYPE)) /* Ignore if option disabled */ + break; +@@ -949,9 +949,9 @@ + return; /* ??? XXX but, this is the most robust */ + } + +- terminaltype = terminalname; ++ p = terminaltype; + +- while ((terminaltype < (terminalname + sizeof terminalname-1)) && ++ while ((p < (terminaltype + sizeof terminaltype-1)) && + !SB_EOF()) { + int c; + +@@ -959,10 +959,9 @@ + if (isupper(c)) { + c = tolower(c); + } +- *terminaltype++ = c; /* accumulate name */ ++ *p++ = c; /* accumulate name */ + } +- *terminaltype = 0; +- terminaltype = terminalname; ++ *p = 0; + break; + } /* end of case TELOPT_TTYPE */ + +diff -Naur heimdal-0.6.4/appl/telnet/telnetd/telnetd.c heimdal-0.6.5/appl/telnet/telnetd/telnetd.c +--- heimdal-0.6.4/appl/telnet/telnetd/telnetd.c Mon Apr 18 22:53:18 2005 ++++ heimdal-0.6.3/appl/telnet/telnetd/telnetd.c Tue Jun 14 16:27:23 2005 +@@ -636,7 +636,7 @@ + */ + _gettermname(); + if (strncmp(first, terminaltype, sizeof(first)) != 0) +- strcpy(terminaltype, first); ++ strlcpy(terminaltype, first, sizeof(terminaltype)); + break; + } + } +@@ -752,7 +752,7 @@ + */ + *user_name = 0; + level = getterminaltype(user_name, sizeof(user_name)); +- esetenv("TERM", terminaltype ? terminaltype : "network", 1); ++ esetenv("TERM", terminaltype[0] ? terminaltype : "network", 1); + + #ifdef _SC_CRAY_SECURE_SYS + if (secflag) {