-----BEGIN PGP SIGNED MESSAGE----- MIT krb5 Security Advisory 2005-001 Original release: 2005-03-28 Topic: Buffer overflows in telnet client Severity: serious SUMMARY ======= The telnet client program supplied with MIT Kerberos 5 has buffer overflows in the functions slc_add_reply() and env_opt_add(), which may lead to remote code execution. IMPACT ====== An attacker controlling or impersonating a telnet server may execute arbitrary code with the privileges of the user running the telnet client. The attacker would need to convince the user to connect to a malicious server, perhaps by automatically launching the client from a web page. Additional user interaction may not be required if the attacker can get the user to view HTML containing an IFRAME tag containing a "telnet:" URL pointing to a malicious server. AFFECTED SOFTWARE ================= * telnet client programs included with the MIT Kerberos 5 implementation, up to and including release krb5-1.4. * Other telnet client programs derived from the BSD telnet implementation may be vulnerable. FIXES ===== * WORKAROUND: Disable handling of "telnet:" URLs in web browsers, email readers, etc., or remove execute permissions from the telnet client program. * The upcoming krb5-1.4.1 patch release will contain fixes for this problem. * Apply the patch found at: http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt The associated detached PGP signature is at: http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt.asc The patch was generated against the krb5-1.4 release. It may apply against earlier releases with some offset. REFERENCES ========== This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html [IDEF0866] Multiple Telnet Client slc_add_reply() Buffer Overflow http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities CVE: CAN-2005-0469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469 [IDEF0867] Multiple Telnet Client env_opt_add() Buffer Overflow http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities CVE: CAN-2005-0468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468 ACKNOWLEDGMENTS =============== Thanks to iDEFENSE for notifying us of these vulnerabilities, and for providing useful feedback. DETAILS ======= The slc_add_reply() function in telnet.c performs inadequate length checking. By sending a carefully crafted telnet LINEMODE suboption string, a malicious telnet server may cause a telnet client to overflow a fixed-size data segment or BSS buffer and execute arbitrary code. The env_opt_add() function in telnet.c performs inadequate length checking. By sending a carefully crafted telnet NEW-ENVIRON suboption string, a malicious telnet server may cause a telnet client to overflow a heap buffer and execute arbitrary code. REVISION HISTORY ================ 2005-03-28 original release Copyright (C) 2005 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (SunOS) iQCVAwUBQkiLWqbDgE/zdoE9AQFSsgQAua79YPzliPsWCnWTBWNkk9DZnME4RYNu lmBkFlM2u/zaEAKQaml8QJ8k3TQ5WB0GztqSOEIWuG5ZahyOZQefrGCCHuD2JKFZ g4q6PNM7dvbUCBB9HcR+GHlgr+01ofMjVuhhZ8Rj0icqCs5MojP5+0VSqr94w1zv MS06L8DXn00= =LT9x -----END PGP SIGNATURE-----
*** Bug 85461 has been marked as a duplicate of this bug. ***
Created attachment 54784 [details, diff] Backported patch to 1.3.6 Backported patch for testing
I have added a backported patch for the 1.3.6 branch for testing and verification. Comments please.
Audit please verify.
Ryan: backport looks ok, please commit as 1.3.6-r2
Ryan/kerberos-herd: please commit the patch
Patch has been committed to the -r2 ebuild.
Arches, please test 1.3.6-r2 (especially the telnet client) and mark stable
Stable on ppc.
problems with src_test on amd64 x86_64-pc-linux-gnu-gcc -L../../../lib -Wl,-rpath -Wl,/usr/lib -O2 -march=k8 -pipe -o dbtest dbtest.o -ldb LD_LIBRARY_PATH=`echo -L../../../lib | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH; srcdir=. TMPDIR=. /bin/sh ./run.test Test 1: btree, hash: small key, small data pairs test1: type hash: failed make[3]: *** [check] Error 1 make[3]: Leaving directory `/var/tmp/portage/mit-krb5-1.3.6-r2/work/krb5-1.3.6/src/util/db2/test' make[2]: *** [check-recurse] Error 1 make[2]: Leaving directory `/var/tmp/portage/mit-krb5-1.3.6-r2/work/krb5-1.3.6/src/util/db2' make[1]: *** [check-recurse] Error 1 make[1]: Leaving directory `/var/tmp/portage/mit-krb5-1.3.6-r2/work/krb5-1.3.6/src/util' make: *** [check-recurse] Error 1 !!! ERROR: app-crypt/mit-krb5-1.3.6-r2 failed. !!! Function src_test, Line 566, Exitcode 0 !!! Make check failed. See above for details. !!! If you need support, post the topmost build error, NOT this status message. --------- Portage 2.0.51.19 (default-linux/amd64/2004.3, gcc-3.4.3, glibc-2.3.4.20040808-r1, 2.6.11-gentoo-r5 x86_64) ================================================================= System uname: 2.6.11-gentoo-r5 x86_64 AMD Athlon(tm) 64 Processor 3500+ Gentoo Base System version 1.4.16 Python: dev-lang/python-2.3.4-r1,dev-lang/python-2.4 [2.4 (#1, Jan 10 2005, 21:27:20)] dev-lang/python: 2.3.4-r1, 2.4 sys-devel/autoconf: 2.59-r6, 2.13 sys-devel/automake: 1.7.9-r1, 1.8.5-r3, 1.5, 1.4_p6, 1.6.3, 1.9.4 sys-devel/binutils: 2.15.92.0.2-r1, 2.15.92.0.2-r2 sys-devel/libtool: 1.5.10-r4 virtual/os-headers: 2.6.8.1-r4 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CFLAGS="-O2 -march=k8 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=k8 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig cvs distlocks fixpackages maketest manifest sandbox sfperms sign strict test userpriv usersandbox" GENTOO_MIRRORS="ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http://pandemonium.tiscali.de/pub/gentoo/" LANG="en_US.utf8" LC_ALL="en_US.utf8" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage-cvs/gentoo-x86 /usr/local/portage-cvs/gentoo-java-experimental" SYNC="rsync://10.0.0.2/portage" USE="X aalib acpi adns alsa amd64 apache avi berkdb bitmap-fonts bzlib cdr crypt cups curl dba directfb divx4linux dvd dvdr emul-linux-x86 encode esd flac font-server foomaticdb fortran ftp gcj gd gdbm ggi gif gimpprint gpm gtk gtk2 guile icq imagemagick imap imlib ipv6 jack java jikes jp2 jpeg junit ldap libwww lzw lzw-tiff mad mbox mikmod mp3 mpeg multislot mysql nas ncurses nls nptl oggvorbis openal opengl oss pam pcre pdflib perl pic png python quicktime readline ruby samba sdl speex sqlite ssl svg tcpd tetex tiff truetype truetype-fonts type1-fonts unicode usb userlocales wmf xml xml2 xmms xosd xpm xrandr xv xvid zlib" Unset: ASFLAGS, CBUILD, CTARGET, LDFLAGS
sparc-tastic!
stable on ppc64
luckyduck: could you doublecheck if it's a regression or not ? If the current amd64 stable version displays the same src_test errors (i.e. it's a bug, but not a regression), then please mark stable, we need it for security. If previous version was alright, it's of course different...
Stable on mips.
stable on amd64, latest stable version has the same problems
Stable on alpha.
GLSA 200504-04 arm hppa ia64 s390: please mark stable to benefit from GLSA
Already stable on hppa