In article <20050624171051.GA23737@panix.com>,
Ed Ravin  <eravin@panix.com> wrote:
>An advisory came out a few days ago for Heimdal telnetd:
>
>   http://www.pdc.kth.se/heimdal/advisory/2005-06-20/
>
>   2005-06-20: telnetd vulnerabilities
>
>   The telnetd server program in Heimdal has buffer overflows in the function
>   getterminaltype, which may lead to remote code execution.
>
>   0.6.5 and 0.7 fixes this problem.
>
>   The only workaround for this bug is to not use the telnetd server program.
>
>NetBSD uses (or at least started with) the Heimdal code.  Does this affect
>NetBSD?
>
>  -- Ed, who also wonders what happened to the NetBSD security advisory for
>the telnet a few months ago...

Yes, but it is not an unlimited buffer overflow like the original heimdal
code. You can only overwrite the next 215 bytes of memory that are next
to the terminaltype static, so I don't think it is exploitable. Anyway
Love committed the fix from 0.7 today and he should issue pullup requests.

christos