Skip Menu |
 

Download (untitled) / with headers
text/plain 2.7KiB
From mhpower@MIT.EDU Wed Oct 2 02:04:04 1996
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id CAA06445 for <bugs@RT-11.MIT.EDU>; Wed, 2 Oct 1996 02:04:04 -0400
Received: from YAZ-PISTACHIO.MIT.EDU by MIT.EDU with SMTP
id AA00427; Wed, 2 Oct 96 02:04:03 EDT
Received: by yaz-pistachio.MIT.EDU (5.57/4.7) id AA05464; Wed, 2 Oct 96 02:04:03 -0400
Message-Id: <9610020604.AA05464@yaz-pistachio.MIT.EDU>
Date: Wed, 02 Oct 1996 02:04:01 EDT
From: mhpower@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: buffer overflow with KRB4_ENCPWD code and long hostnames

Show quoted text
>Number: 50
>Category: telnet
>Synopsis: buffer overflow with KRB4_ENCPWD code and long hostnames
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: hartmans
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Oct e 02:05:01 EDT 1996
>Last-Modified: Mon Oct e 01:01:13 EDT 1996
>Originator:
>Organization:
>Release:
>Environment:
>Description:
If telnet is built with KRB4_ENCPWD defined (this assumes, for
example, that code for the krb_*_encpwd_req functions exists
somewhere), the remote hostname available to krb4encpwd_reply can be
up to MAXDNAME-1 (255) characters, but it is strcpy'd to a buffer of
size ANAME_SZ (40). This patch should allow the correct instance to be
found if the first '.' in this hostname is before the 40th character.
It doesn't consider the issue of warning the user if the first '.' in
the hostname occurs at the 40th character or later.

I am not using the KRB4_ENCPWD code myself and would personally not
care if it were simply deleted from the distribution.

Matt
Show quoted text
>How-To-Repeat:
>Fix:
*** krb5-beta7/src/appl/telnet/libtelnet/krb4encpwd.c.old Tue Jun 27 16:32:28 1995
--- krb5-beta7/src/appl/telnet/libtelnet/krb4encpwd.c Wed Oct 2 01:01:01 1996
***************
*** 315,317 ****
Challenge = challenge;
! strcpy(instance, RemoteHostName);
if ((cp = index(instance, '.')) != 0) *cp = '\0';
--- 315,318 ----
Challenge = challenge;
! strncpy(instance, RemoteHostName, sizeof(instance));
! instance[sizeof(instance)-1] = '\0';
if ((cp = index(instance, '.')) != 0) *cp = '\0';

Files changed in appl/telnet/libtelnet:
remove krb4encpwd.c rsaencpwd read_password.c
update Makefile.in auth.c


Show quoted text
>Audit-Trail:

Responsible-Changed-From-To: gnats-admin->hartmans
Responsible-Changed-By: tlyu
Responsible-Changed-When: Wed Oct 2 15:35:08 1996
Responsible-Changed-Why:
this is a telnet problem; refiling

State-Changed-From-To: open-closed State-Changed-By: hartmans
State-Changed-When: Mon Oct 14 00:59:22 1996 State-Changed-Why:
Removed krb4encpwd and rsaencpwd authentication options. These
options were not being tested and relied on libraries not available to
MIT.



Show quoted text
>Unformatted: