Subject: NetBSD Security Advisory 2005-004: Buffer overflows in MIT Kerberos 5 telnet client
To: None <tech-security@NetBSD.org, current-users@NetBSD.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: tech-security
Date: 11/08/2005 09:55:44
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2005-004
		 =================================

Topic:		Buffer overflows in MIT Kerberos 5 telnet client

Version:	NetBSD-current:	source prior to April 1, 2005
		NetBSD 2.1:	not affected
		NetBSD 2.0.3:	not affected
		NetBSD 2.0.2:	affected
		NetBSD 2.0:	affected
		NetBSD 1.6.2:	affected
		NetBSD 1.6.1:	affected
		NetBSD 1.6:	affected

Severity:	Remote code execution if connected to malicious server

Fixed:		NetBSD-current:		April 1, 2005
		NetBSD-3 branch:	April 8, 2005 
						(3.0 will include the fix)
		NetBSD-2.0 branch:	April 8, 2005
						(2.0.3 includes the fix)
		NetBSD-2 branch:	April 8, 2005
						(2.1 includes the fix)
		NetBSD-1.6 branch:	April 8, 2005


Abstract
========

The telnet client program in NetBSD, supporting MIT Kerberos 5
authentication, contains several buffer overflows that can be triggered
when connecting to a malicious telnet server. When exploited, these
overflows can lead to remote code execution.


Technical Details
=================

The slc_add_reply() and env_opt_add() functions in telnet.c perform
inadequate length checking. slc_add_reply() may overflow a fixed-size
data segment or BSS buffer when receiving a maliciously crafted telnet
LINEMODE suboption string. env_opt_add() may overflow a heap buffer when
receiving a maliciously crafted telnet NEW-ENVIRON suboption string.

Both overflows may lead to arbitrary code execution.

CVE: CAN-2005-0468 and CAN-2005-0469


Solutions and Workarounds
=========================

There is no workaround to this problem.

It is recommended that all NetBSD users of affected versions upgrade
their telnet binaries to a non-vulnerable version.

The following instructions describe how to upgrade your telnet
binaries by updating your source tree and rebuilding and
installing a new version of telnet.


* NetBSD-current:

	Systems running NetBSD-current dated from before 2005-03-29
	should be upgraded to NetBSD-current dated 2005-04-01 or later.

	The following files need to be updated from the netbsd-current CVS
	branch (aka HEAD):
		usr.bin/telnet/telnet.c

	To update from CVS, re-build, and re-install telnet:
		# cd src
		# cvs update -d -P usr.bin/telnet/telnet.c
		# cd usr.bin/telnet

		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 2.0:

	The binary distribution of NetBSD 2.0 is vulnerable.

	NetBSD 2.1 includes the fix.

	Systems running NetBSD 2.0 sources dated from before
	2005-04-08 should be upgraded from NetBSD 2.0 sources dated
	2005-04-09 or later.

	The following files need to be updated from the
	netbsd-2-0 CVS branch:
		usr.bin/telnet/telnet.c

	To update from CVS, re-build, and re-install telnet:

		# cd src
		# cvs update -d -P -r netbsd-2-0 usr.bin/telnet/telnet.c
		# cd usr.bin/telnet

		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 1.6, 1.6.1, 1.6.2:

	The binary distributions of NetBSD 1.6, 1.6.1, and 1.6.2 are vulnerable.

	Systems running NetBSD 1.6 sources dated from before
	2005-04-08 should be upgraded from NetBSD 1.6 sources dated
	2005-04-09 or later.

	NetBSD 1.6.3 will include the fix.

	The following files need to be updated from the
	netbsd-1-6 CVS branch:
		usr.bin/telnet/telnet.c

	To update from CVS, re-build, and re-install telnet:

		# cd src
		# cvs update -d -P -r netbsd-1-6 usr.bin/telnet/telnet.c
		# cd usr.bin/telnet

		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


Thanks To
=========

iDEFENSE for researching this vulnerability.

MIT for alerting us about this vulnerability and providing a fix.


Revision History
================

	2005-10-31	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-004.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2005, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2005-004.txt,v 1.13 2005/10/31 06:36:35 gendalia Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)

iQCVAwUBQ2fKUz5Ru2/4N2IFAQLEjQP+K/9/7qknJL6CXC0Y475wpLGzRfdQFZgn
7LX/2AfkvjWf/S4lNCJwjPFp5t2OT4b92ejAvoHTjsuBVAZXMubxk2+WPETykG6p
1UW9IujiLa/MTEYm8xTukmKA2RL+2E7Jf2n5dR0g9BM/+UZHprKgTV19SCAXzS6n
874WryZNtxE=
=iXJ4
-----END PGP SIGNATURE-----