Skip Menu |
 

From djm@web.us.uu.net Fri Apr 14 12:41:36 2000
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id MAA03266
for <bugs@RT-11.MIT.EDU>; Fri, 14 Apr 2000 12:41:35 -0400 (EDT)
Received: from jenkins.web.us.uu.net by MIT.EDU with SMTP
id AA12516; Fri, 14 Apr 00 12:43:27 EDT
Received: from dagger.web.us.uu.net by jenkins.web.us.uu.net with ESMTP
(peer crosschecked as: dagger.web.us.uu.net [208.211.134.28])
id MAA11617; Fri, 14 Apr 2000 12:41:33 -0400 (EDT)
Received: by dagger.web.us.uu.net
id MAA28681; Fri, 14 Apr 2000 12:41:10 -0400
Message-Id: <MAA28681.200004141641@dagger.web.us.uu.net>
Date: Fri, 14 Apr 2000 12:41:10 -0400
From: djm@web.us.uu.net (David J. MacKenzie)
Reply-To: djm@web.us.uu.net
To: krb5-bugs@MIT.EDU
Cc: djm@web.us.uu.net
Subject: fixes for telnetd bugs
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 842
>Category: krb5-appl
>Synopsis: fixes for pointer bugs in telnetd
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Apr 14 12:42:00 EDT 2000
>Last-Modified:
>Originator: David MacKenzie
>Organization:
UUNET Technologies
Show quoted text
>Release: krb5-1.1.1
>Environment:

System: Linux dagger.web.us.uu.net 2.2.14-15mdk #2 Sat Mar 11 19:32:26 EST 2000 i686 unknown
Architecture: i686

Show quoted text
>Description:
telnetd from krb5 has the following 3 bugs:

1. It fails to actually return the return value from a function.
2. It uses a buffer that's too small for some termcap entries
in ESR's termcap files from the past few years, leading to
either a buffer overrun or a truncated entry (depending on
the termcap library).
3. It passes spurious arguments to sprintf.

Show quoted text
>How-To-Repeat:
Use a long entry from a recent termcap file, or a C compiler
that doesn't handle registers quite the way you expected,
or gcc -Wall.

Show quoted text
>Fix:

--- /homes/elves/djm/src/krb5-1.1.1/src/appl/telnet/telnetd/sys_term.c Fri Dec 17 15:44:26 1999
+++ src/appl/telnet/telnetd/sys_term.c Tue Mar 28 03:10:37 2000
@@ -1019,6 +1019,7 @@
pty = -1;
}
#endif
+ return t;
}

#if !defined(CRAY) || !defined(NEWINIT)
--- /homes/elves/djm/src/krb5-1.1.1/src/appl/telnet/telnetd/telnetd.c Fri Dec 17 15:44:26 1999
+++ src/appl/telnet/telnetd/telnetd.c Tue Mar 28 03:15:14 2000
@@ -896,7 +905,7 @@
terminaltypeok(s)
char *s;
{
- char buf[1024];
+ char buf[4096];

if (!*s)
return(1);
--- /homes/elves/djm/src/krb5-1.1.1/src/appl/telnet/telnetd/utility.c Fri Dec 17 15:44:27 1999
+++ src/appl/telnet/telnetd/utility.c Tue Mar 28 03:15:51 2000
@@ -1143,12 +1143,12 @@
break;

case ENCRYPT_ENC_KEYID:
- sprintf(nfrontp, " ENC_KEYID", pointer[1]);
+ sprintf(nfrontp, " ENC_KEYID");
nfrontp += strlen(nfrontp);
goto encommon;

case ENCRYPT_DEC_KEYID:
- sprintf(nfrontp, " DEC_KEYID", pointer[1]);
+ sprintf(nfrontp, " DEC_KEYID");
nfrontp += strlen(nfrontp);
goto encommon;

Show quoted text
>Audit-Trail:
>Unformatted: