From proff Thu Jul 25 02:52:02 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id CAA22956 for best-of-security; Thu, 25 Jul 1996 02:52:02 +1000 Received: from brimstone.netspace.org ([128.148.157.143]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id CAA20019 for ; Thu, 25 Jul 1996 02:30:27 +1000 Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <24122-14074>; Wed, 24 Jul 1996 12:27:47 -0500 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id MAA30733; Wed, 24 Jul 1996 12:26:38 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 195634 for BUGTRAQ@NETSPACE.ORG; Wed, 24 Jul 1996 12:17:24 -0400 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id LAA28181 for ; Wed, 24 Jul 1996 11:54:38 -0400 Approved-By: ALEPH1@UNDERGROUND.ORG Received: from crimelab.com (crimelab.com [198.64.127.1]) by netspace.org (8.7/8.6.12) with ESMTP id BAA14938 for ; Wed, 24 Jul 1996 01:40:17 -0400 Received: from hcs.HARVARD.EDU (hcs.harvard.edu [140.247.73.252]) by crimelab.com (8.7.1/8.6.4) with ESMTP id XAA00739 for ; Tue, 23 Jul 1996 23:28:11 -0600 (MDT) Received: (from dholland@localhost) by hcs.HARVARD.EDU (8.7.4/8.7.3) id BAA18220; Wed, 24 Jul 1996 01:41:13 -0400 X-Mailer: ELM [version 2.4 PL22] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Approved-By: David Holland Message-ID: <199607240541.BAA18220@hcs.HARVARD.EDU> Date: Wed, 24 Jul 1996 01:41:12 -0400 Reply-To: Bugtraq List Sender: proff From: David Holland Subject: Linux NetKit-B update. X-To: linux-security@tarsier.cv.nrao.edu, bugtraq@crimelab.com To: Multiple recipients of list BUGTRAQ Linux NetKit-B-0.07 has been released (check comp.os.linux.announce for details). This fixes the following security problems/hazards: 1. Possible overrun copying DNS results into a buffer on the stack in fingerd while processing the linux-specific -w ("welcome banner") option. Patch: convert sprintf to snprintf. 2. Possible overrun copying DNS results into a buffer on the stack in talkd. This affected FreeBSD, NetBSD, and OpenBSD as well; all have integrated a fix into the current development tree. It may affect vendors... Patch: convert sprintf to snprintf in announce.c. 3. Possible overrun copying $TERM into a buffer on the stack in rlogin. This affects lots of platforms, but has been mentioned here before I think. Patch: use snprintf or strncpy. 4. Suspicious (but not necessarily exploitable) handling of buffers on the stack in rshd. Patch: convert sprintf to snprintf. 5. rsh didn't drop root before execing rlogin. This is not a big deal except in conjunction with (3) -- chmod -s on rlogin is *not* sufficient. 6. Buffer overflow in ping mentioned yesterday, but it's not on the stack and consequently probably not exploitable. Patch: use snprintf. 7. Integrated a fix for the telnetd environment bug (old news, but it hadn't got into the standard linux sources yet.) Also, there was a bug in sliplogin where it did "setuid(0); system()" without clearing the environment. A fixed version has been available for Linux and FreeBSD for some time, but the news had not reached NetBSD until last week. Vendor versions could be vulnerable. -- - David A. Holland | Number of words in the English language that dholland@hcs.harvard.edu | exist because of typos or misreadings: 381