For those still running NetBSD 1.0, I've compiled the version of
telnetd from NetBSD-current and made it available on my ftp site.
The 1.0 telnetd doesn't filter the environment variables, and this
lets someone make login run with a compromised libc.so and/or
libcrypt.so if they can get that on to your system (say, via an
anonymous FTP upload, or by putting it in their home directory if
they have an ID). This can give them root access.

To get the new version, ftp to ftp.portal.ca and log in as anonymous.
Retrieve the file /pub/unix/NetBSD/telnetd.gz, uncompress it, and
replace the old version of /usr/libexec/telnetd with this one. It's
also probably a good idea to check your /etc/inetd.conf to make
sure that /usr/libexec/telnetd is the file that's actually being
executed when someone telnets in.

Alternatively, if you don't trust me it's hardly more work to grab
the NetBSD-current telnetd sources from ftp.netbsd.org or your
favourite mirror and compile them. No changes are required for
NetBSD-1.0.

You can check that you've got the new version by running ident on
the executable. The compromised version will return (among other
things)

     $Id: state.c,v 1.5 1994/02/25 03:20:54 cgd Exp $

and the new one will return

     $Id: state.c,v 1.5.4.2 1995/10/19 12:48:54 ghudson Exp $

As an aside, I've also got a fix for the syslog problem/security
hole in the same directory. Read the README for more details.

cjs

Curt Sampson    curt@portal.ca		Info at http://www.portal.ca/
Internet Portal Services, Inc.	
Vancouver, BC   (604) 257-9400		De gustibus, aut bene aut nihil.