Package: heimdal
Severity: grave
Tags: security patch
Heimdal contains a remotely exploitable buffer overflow in the getterminaltype()
function. This has been fixed in the new upstream versions 0.6.5 and 0.7.0.
URL: http://www.pdc.kth.se/heimdal/advisory/2005-06-20/
I've extracted the security relevant fix from the 0.6.4-0.6.5 patch. If you are
planning more extensive changes for packaging 0.7 it might be a good idea to
release a fixed package for the 0.6 branch before that.
Cheers,
Moritz
-- System Information:
Debian Release: 3.0
Architecture: i386
Kernel: Linux anton 2.4.30-univention.2 #1 SMP Thu May 12 13:53:52 CEST 2005
i686
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED]
diff -Naur heimdal-0.6.3.orig/debian/patches/033_getterminaltype_overflow heimdal-0.6.3/debian/patches/033_getterminaltype_overflow
--- heimdal-0.6.3.orig/debian/patches/033_getterminaltype_overflow Thu Jan 1 01:00:00 1970
+++ heimdal-0.6.3/debian/patches/033_getterminaltype_overflow Mon Jun 20 12:49:40 2005
@@ -0,0 +1,81 @@
+--- heimdal-0.6.4/appl/telnet/telnetd/ext.h Mon Apr 18 22:53:17 2005
heimdal-0.6.3/appl/telnet/telnetd/ext.h Tue Jun 14 16:27:23 2005
+@@ -57,7 +57,7 @@
+
+ extern slcfun slctab[NSLC + 1]; /* slc mapping table */
+
+-extern char *terminaltype;
++extern char terminaltype[41];
+
+ /*
+ * I/O data buffers, pointers, and counters.
+diff -Naur heimdal-0.6.4/appl/telnet/telnetd/global.c heimdal-0.6.5/appl/telnet/telnetd/global.c
+--- heimdal-0.6.4/appl/telnet/telnetd/global.c Mon Apr 18 22:53:17 2005
heimdal-0.6.3/appl/telnet/telnetd/global.c Tue Jun 14 16:27:23 2005
+@@ -54,7 +54,7 @@
+
+ slcfun slctab[NSLC + 1]; /* slc mapping table */
+
+-char *terminaltype;
++char terminaltype[41];
+
+ /*
+ * I/O data buffers, pointers, and counters.
+diff -Naur heimdal-0.6.4/appl/telnet/telnetd/state.c heimdal-0.6.5/appl/telnet/telnetd/state.c
+--- heimdal-0.6.4/appl/telnet/telnetd/state.c Mon Apr 18 22:53:17 2005
heimdal-0.6.3/appl/telnet/telnetd/state.c Tue Jun 14 16:27:23 2005
+@@ -939,7 +939,7 @@
+ } /* end of case TELOPT_TSPEED */
+
+ case TELOPT_TTYPE: { /* Yy! */
+- static char terminalname[41];
++ char *p;
+
+ if (his_state_is_wont(TELOPT_TTYPE)) /* Ignore if option disabled */
+ break;
+@@ -949,9 +949,9 @@
+ return; /* ??? XXX but, this is the most robust */
+ }
+
+- terminaltype = terminalname;
++ p = terminaltype;
+
+- while ((terminaltype (terminalname + sizeof terminalname-1))
++ while ((p (terminaltype + sizeof terminaltype-1))
+ !SB_EOF()) {
+ int c;
+
+@@ -959,10 +959,9 @@
+ if (isupper(c)) {
+ c = tolower(c);
+ }
+- *terminaltype++ = c;/* accumulate name */
++ *p++ = c;/* accumulate name */
+ }
+- *terminaltype = 0;
+- terminaltype = terminalname;
++ *p = 0;
+ break;
+ } /* end of case TELOPT_TTYPE */
+
+diff -Naur heimdal-0.6.4/appl/telnet/telnetd/telnetd.c heimdal-0.6.5/appl/telnet/telnetd/telnetd.c
+--- heimdal-0.6.4/appl/telnet/telnetd/telnetd.c Mon Apr 18 22:53:18 2005
heimdal-0.6.3/appl/telnet/telnetd/telnetd.c Tue Jun 14 16:27:23 2005
+@@ -636,7 +636,7 @@
+ */
+ _gettermname();
+ if (strncmp(first, terminaltype, sizeof(first)) != 0)
+- strcpy(terminaltype, first);
++ strlcpy(terminaltype, first, sizeof(terminaltype));
+ break;
+ }
+ }
+@@ -752,7 +752,7 @@
+ */
+ *user_name = 0;
+ level = getterminaltype(user_name, sizeof(user_name));
+-esetenv(TERM, terminaltype ? terminaltype : network, 1);
++esetenv(TERM, terminaltype[0] ? terminaltype : network, 1);
+
+ #ifdef _SC_CRAY_SECURE_SYS
+ if (secflag) {