Hi All,

I'm no expert at this, but I just compared the FreeBSD patches to the
NetBSD 1.2 source for talkd.  All of the changes are allready implemented
in the netbsd source (did FreeBSD just copy the NetBSD source?).  The only
difference being that FreeBSD uses MAXHOSTNAMELEN (currently 256 in
sys/param.h) for the length of the hostname string.  NetBSD just uses 32,
but it calls gethostbyname with size set to 31, so it won't overflow, you
just cant talk with hosts over 32 characters long.

As far as I can tell, the netbsd talkd is safe.  The Bind that comes with
netbsd on the other hand, may not be.  Would anyone else care to confirm
this?

Rick

On Mon, 27 Jan 1997, Matthew B. Wood wrote:

> per CERT Advisory CA-97.04, talkd has been found to be exploitable:
> 
> ....
>      As part of the talk connection, talkd does a DNS lookup for the name
>      of the host that the connection is being initiated from. Because there
>      is insufficient bounds checking on the buffer where the hostname is
>      stored, it is possible to overwrite the internal stack space of talkd.
> 
>      It is possible to force talkd to execute arbitrary commands by carefully
>      manipulating the hostname information. As talkd runs with root
>      privileges, this may allow intruders to remotely execute arbitrary
>      commands with these privileges.
> ....
> 
> It seems the FreeBSD crew has a talkd patch available.  Can this be  
> easily used by us NetBSD folks?  Or is NetBSD's talkd safe?
> 
> 
> -- 
> Matthew B. Wood                                              mbwood@netcom.com
>     
>       "Do you know how many time zones there are in the Soviet Union?"
> 

=========================================================================
Rick Byers                                      Internet Access Worldwide
rickb@iaw.on.ca                                System Admin, Tech Support
Welland, Ontario, Canada                                    (905)714-1400
http://www.iaw.on.ca/rickb/                         http://www.iaw.on.ca/