Bugzilla Bug 87145

-----BEGIN PGP SIGNED MESSAGE-----

                 MIT krb5 Security Advisory 2005-001

Original release: 2005-03-28

Topic: Buffer overflows in telnet client

Severity: serious

SUMMARY
=======

The telnet client program supplied with MIT Kerberos 5 has buffer
overflows in the functions slc_add_reply() and env_opt_add(), which
may lead to remote code execution.

IMPACT
======

An attacker controlling or impersonating a telnet server may execute
arbitrary code with the privileges of the user running the telnet
client.  The attacker would need to convince the user to connect to a
malicious server, perhaps by automatically launching the client from a
web page.  Additional user interaction may not be required if the
attacker can get the user to view HTML containing an IFRAME tag
containing a "telnet:" URL pointing to a malicious server.

AFFECTED SOFTWARE
=================

* telnet client programs included with the MIT Kerberos 5
  implementation, up to and including release krb5-1.4.

* Other telnet client programs derived from the BSD telnet
  implementation may be vulnerable.

FIXES
=====

* WORKAROUND: Disable handling of "telnet:" URLs in web browsers,
  email readers, etc., or remove execute permissions from the telnet
  client program.

* The upcoming krb5-1.4.1 patch release will contain fixes for this
  problem.

* Apply the patch found at:

  http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt

  The associated detached PGP signature is at:

  http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt.asc

  The patch was generated against the krb5-1.4 release.  It may apply
  against earlier releases with some offset.

REFERENCES
==========

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

[IDEF0866] Multiple Telnet Client slc_add_reply() Buffer Overflow
http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities

CVE: CAN-2005-0469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469

[IDEF0867] Multiple Telnet Client env_opt_add() Buffer Overflow
http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities

CVE: CAN-2005-0468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468

ACKNOWLEDGMENTS
===============

Thanks to iDEFENSE for notifying us of these vulnerabilities, and for
providing useful feedback.

DETAILS
=======

The slc_add_reply() function in telnet.c performs inadequate length
checking.  By sending a carefully crafted telnet LINEMODE suboption
string, a malicious telnet server may cause a telnet client to
overflow a fixed-size data segment or BSS buffer and execute arbitrary
code.

The env_opt_add() function in telnet.c performs inadequate length
checking.  By sending a carefully crafted telnet NEW-ENVIRON suboption
string, a malicious telnet server may cause a telnet client to
overflow a heap buffer and execute arbitrary code.

REVISION HISTORY
================

2005-03-28      original release

Copyright (C) 2005 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (SunOS)

iQCVAwUBQkiLWqbDgE/zdoE9AQFSsgQAua79YPzliPsWCnWTBWNkk9DZnME4RYNu
lmBkFlM2u/zaEAKQaml8QJ8k3TQ5WB0GztqSOEIWuG5ZahyOZQefrGCCHuD2JKFZ
g4q6PNM7dvbUCBB9HcR+GHlgr+01ofMjVuhhZ8Rj0icqCs5MojP5+0VSqr94w1zv
MS06L8DXn00=
=LT9x
-----END PGP SIGNATURE-----

*** Bug 85461 has been marked as a duplicate of this bug. ***

Created an attachment (id=54784) [details]
Backported patch to 1.3.6

Backported patch for testing

I have added a backported patch for the 1.3.6 branch for testing and
verification.  Comments please.

Audit please verify.

Ryan: backport looks ok, please commit as 1.3.6-r2

Ryan/kerberos-herd: please commit the patch

Patch has been committed to the -r2 ebuild.

Arches, please test 1.3.6-r2 (especially the telnet client) and mark stable

Stable on ppc.

problems with src_test on amd64

x86_64-pc-linux-gnu-gcc -L../../../lib -Wl,-rpath -Wl,/usr/lib -O2 -march=k8 -pipe  -o dbtest dbtest.o  -ldb
LD_LIBRARY_PATH=`echo -L../../../lib | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH; srcdir=. TMPDIR=. /bin/sh ./run.test
Test 1: btree, hash: small key, small data pairs
test1: type hash: failed
make[3]: *** [check] Error 1
make[3]: Leaving directory `/var/tmp/portage/mit-krb5-1.3.6-r2/work/krb5-1.3.6/src/util/db2/test'
make[2]: *** [check-recurse] Error 1
make[2]: Leaving directory `/var/tmp/portage/mit-krb5-1.3.6-r2/work/krb5-1.3.6/src/util/db2'
make[1]: *** [check-recurse] Error 1
make[1]: Leaving directory `/var/tmp/portage/mit-krb5-1.3.6-r2/work/krb5-1.3.6/src/util'
make: *** [check-recurse] Error 1

!!! ERROR: app-crypt/mit-krb5-1.3.6-r2 failed.
!!! Function src_test, Line 566, Exitcode 0
!!! Make check failed. See above for details.
!!! If you need support, post the topmost build error, NOT this status message.



---------
Portage 2.0.51.19 (default-linux/amd64/2004.3, gcc-3.4.3, glibc-2.3.4.20040808-r1, 2.6.11-gentoo-r5 x86_64)
=================================================================
System uname: 2.6.11-gentoo-r5 x86_64 AMD Athlon(tm) 64 Processor 3500+
Gentoo Base System version 1.4.16
Python:              dev-lang/python-2.3.4-r1,dev-lang/python-2.4 [2.4 (#1, Jan 10 2005, 21:27:20)]
dev-lang/python:     2.3.4-r1, 2.4
sys-devel/autoconf:  2.59-r6, 2.13
sys-devel/automake:  1.7.9-r1, 1.8.5-r3, 1.5, 1.4_p6, 1.6.3, 1.9.4
sys-devel/binutils:  2.15.92.0.2-r1, 2.15.92.0.2-r2
sys-devel/libtool:   1.5.10-r4
virtual/os-headers:  2.6.8.1-r4
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CFLAGS="-O2 -march=k8 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=k8 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig cvs distlocks fixpackages maketest manifest sandbox sfperms sign strict test userpriv usersandbox"
GENTOO_MIRRORS="ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http://pandemonium.tiscali.de/pub/gentoo/"
LANG="en_US.utf8"
LC_ALL="en_US.utf8"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage-cvs/gentoo-x86 /usr/local/portage-cvs/gentoo-java-experimental"
SYNC="rsync://10.0.0.2/portage"
USE="X aalib acpi adns alsa amd64 apache avi berkdb bitmap-fonts bzlib cdr crypt cups curl dba directfb divx4linux dvd dvdr emul-linux-x86 encode esd flac font-server foomaticdb fortran ftp gcj gd gdbm ggi gif gimpprint gpm gtk gtk2 guile icq imagemagick imap imlib ipv6 jack java jikes jp2 jpeg junit ldap libwww lzw lzw-tiff mad mbox mikmod mp3 mpeg multislot mysql nas ncurses nls nptl oggvorbis openal opengl oss pam pcre pdflib perl pic png python quicktime readline ruby samba sdl speex sqlite ssl svg tcpd tetex tiff truetype truetype-fonts type1-fonts unicode usb userlocales wmf xml xml2 xmms xosd xpm xrandr xv xvid zlib"
Unset:  ASFLAGS, CBUILD, CTARGET, LDFLAGS

sparc-tastic!

stable on ppc64

luckyduck: could you doublecheck if it's a regression or not ? If the current
amd64 stable version displays the same src_test errors (i.e. it's a bug, but
not a regression), then please mark stable, we need it for security. If
previous version was alright, it's of course different...

Stable on mips.

stable on amd64, latest stable version has the same problems

Stable on alpha.

GLSA 200504-04
arm hppa ia64 s390: please mark stable to benefit from GLSA

Already stable on hppa