Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 87145 - app-crypt/mit-krb5 buffer overflow in telnet client
Summary: app-crypt/mit-krb5 buffer overflow in telnet client
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa] koon
: 85461 (view as bug list)
Depends on:
Reported: 2005-03-29 10:43 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-08-15 22:00 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Backported patch to 1.3.6 (krb5-1.3.6-telnet.patch,1.93 KB, patch)
2005-03-29 11:55 UTC, Ryan Phillips (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-29 10:43:39 UTC

                 MIT krb5 Security Advisory 2005-001

Original release: 2005-03-28

Topic: Buffer overflows in telnet client

Severity: serious


The telnet client program supplied with MIT Kerberos 5 has buffer
overflows in the functions slc_add_reply() and env_opt_add(), which
may lead to remote code execution.


An attacker controlling or impersonating a telnet server may execute
arbitrary code with the privileges of the user running the telnet
client.  The attacker would need to convince the user to connect to a
malicious server, perhaps by automatically launching the client from a
web page.  Additional user interaction may not be required if the
attacker can get the user to view HTML containing an IFRAME tag
containing a "telnet:" URL pointing to a malicious server.


* telnet client programs included with the MIT Kerberos 5
  implementation, up to and including release krb5-1.4.

* Other telnet client programs derived from the BSD telnet
  implementation may be vulnerable.


* WORKAROUND: Disable handling of "telnet:" URLs in web browsers,
  email readers, etc., or remove execute permissions from the telnet
  client program.

* The upcoming krb5-1.4.1 patch release will contain fixes for this

* Apply the patch found at:

  The associated detached PGP signature is at:

  The patch was generated against the krb5-1.4 release.  It may apply
  against earlier releases with some offset.


This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

The main MIT Kerberos web page is at:

[IDEF0866] Multiple Telnet Client slc_add_reply() Buffer Overflow

CVE: CAN-2005-0469

[IDEF0867] Multiple Telnet Client env_opt_add() Buffer Overflow

CVE: CAN-2005-0468


Thanks to iDEFENSE for notifying us of these vulnerabilities, and for
providing useful feedback.


The slc_add_reply() function in telnet.c performs inadequate length
checking.  By sending a carefully crafted telnet LINEMODE suboption
string, a malicious telnet server may cause a telnet client to
overflow a fixed-size data segment or BSS buffer and execute arbitrary

The env_opt_add() function in telnet.c performs inadequate length
checking.  By sending a carefully crafted telnet NEW-ENVIRON suboption
string, a malicious telnet server may cause a telnet client to
overflow a heap buffer and execute arbitrary code.


2005-03-28      original release

Copyright (C) 2005 Massachusetts Institute of Technology
Version: GnuPG v1.2.5 (SunOS)

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-29 10:55:12 UTC
*** Bug 85461 has been marked as a duplicate of this bug. ***
Comment 2 Ryan Phillips (RETIRED) gentoo-dev 2005-03-29 11:55:49 UTC
Created attachment 54784 [details, diff]
Backported patch to 1.3.6

Backported patch for testing
Comment 3 Ryan Phillips (RETIRED) gentoo-dev 2005-03-29 11:56:26 UTC
I have added a backported patch for the 1.3.6 branch for testing and verification.  Comments please.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-29 14:05:18 UTC
Audit please verify.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-03-31 00:21:29 UTC
Ryan: backport looks ok, please commit as 1.3.6-r2
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-04-02 03:31:58 UTC
Ryan/kerberos-herd: please commit the patch
Comment 7 Ryan Phillips (RETIRED) gentoo-dev 2005-04-04 09:12:55 UTC
Patch has been committed to the -r2 ebuild.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-04-04 11:57:58 UTC
Arches, please test 1.3.6-r2 (especially the telnet client) and mark stable
Comment 9 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-04-04 12:32:29 UTC
Stable on ppc.
Comment 10 Jan Brinkmann (RETIRED) gentoo-dev 2005-04-04 13:26:17 UTC
problems with src_test on amd64

x86_64-pc-linux-gnu-gcc -L../../../lib -Wl,-rpath -Wl,/usr/lib -O2 -march=k8 -pipe  -o dbtest dbtest.o  -ldb
LD_LIBRARY_PATH=`echo -L../../../lib | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH; srcdir=. TMPDIR=. /bin/sh ./run.test
Test 1: btree, hash: small key, small data pairs
test1: type hash: failed
make[3]: *** [check] Error 1
make[3]: Leaving directory `/var/tmp/portage/mit-krb5-1.3.6-r2/work/krb5-1.3.6/src/util/db2/test'
make[2]: *** [check-recurse] Error 1
make[2]: Leaving directory `/var/tmp/portage/mit-krb5-1.3.6-r2/work/krb5-1.3.6/src/util/db2'
make[1]: *** [check-recurse] Error 1
make[1]: Leaving directory `/var/tmp/portage/mit-krb5-1.3.6-r2/work/krb5-1.3.6/src/util'
make: *** [check-recurse] Error 1

!!! ERROR: app-crypt/mit-krb5-1.3.6-r2 failed.
!!! Function src_test, Line 566, Exitcode 0
!!! Make check failed. See above for details.
!!! If you need support, post the topmost build error, NOT this status message.

Portage (default-linux/amd64/2004.3, gcc-3.4.3, glibc-, 2.6.11-gentoo-r5 x86_64)
System uname: 2.6.11-gentoo-r5 x86_64 AMD Athlon(tm) 64 Processor 3500+
Gentoo Base System version 1.4.16
Python:              dev-lang/python-2.3.4-r1,dev-lang/python-2.4 [2.4 (#1, Jan 10 2005, 21:27:20)]
dev-lang/python:     2.3.4-r1, 2.4
sys-devel/autoconf:  2.59-r6, 2.13
sys-devel/automake:  1.7.9-r1, 1.8.5-r3, 1.5, 1.4_p6, 1.6.3, 1.9.4
sys-devel/libtool:   1.5.10-r4
CFLAGS="-O2 -march=k8 -pipe"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=k8 -pipe"
FEATURES="autoaddcvs autoconfig cvs distlocks fixpackages maketest manifest sandbox sfperms sign strict test userpriv usersandbox"
PORTDIR_OVERLAY="/usr/local/portage-cvs/gentoo-x86 /usr/local/portage-cvs/gentoo-java-experimental"
USE="X aalib acpi adns alsa amd64 apache avi berkdb bitmap-fonts bzlib cdr crypt cups curl dba directfb divx4linux dvd dvdr emul-linux-x86 encode esd flac font-server foomaticdb fortran ftp gcj gd gdbm ggi gif gimpprint gpm gtk gtk2 guile icq imagemagick imap imlib ipv6 jack java jikes jp2 jpeg junit ldap libwww lzw lzw-tiff mad mbox mikmod mp3 mpeg multislot mysql nas ncurses nls nptl oggvorbis openal opengl oss pam pcre pdflib perl pic png python quicktime readline ruby samba sdl speex sqlite ssl svg tcpd tetex tiff truetype truetype-fonts type1-fonts unicode usb userlocales wmf xml xml2 xmms xosd xpm xrandr xv xvid zlib"
Comment 11 Gustavo Zacarias (RETIRED) gentoo-dev 2005-04-04 15:08:06 UTC
Comment 12 Markus Rothe (RETIRED) gentoo-dev 2005-04-05 07:47:13 UTC
stable on ppc64
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-04-05 09:10:10 UTC
luckyduck: could you doublecheck if it's a regression or not ? If the current amd64 stable version displays the same src_test errors (i.e. it's a bug, but not a regression), then please mark stable, we need it for security. If previous version was alright, it's of course different...
Comment 14 Hardave Riar (RETIRED) gentoo-dev 2005-04-05 10:05:41 UTC
Stable on mips.
Comment 15 Jan Brinkmann (RETIRED) gentoo-dev 2005-04-05 11:08:20 UTC
stable on amd64, latest stable version has the same problems
Comment 16 Bryan Østergaard (RETIRED) gentoo-dev 2005-04-06 00:54:21 UTC
Stable on alpha.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-04-06 05:03:03 UTC
GLSA 200504-04
arm hppa ia64 s390: please mark stable to benefit from GLSA
Comment 18 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 07:25:51 UTC
Already stable on hppa