From owner-freebsd-ports@FreeBSD.ORG  Sun Jul 18 21:27:15 2004
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5342416A4CE
	for <ports@FreeBSD.org>; Sun, 18 Jul 2004 21:27:15 +0000 (GMT)
Received: from www.linux.org.uk (parcelfarce.linux.theplanet.co.uk
	[195.92.249.252])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0C86743D45
	for <ports@FreeBSD.org>; Sun, 18 Jul 2004 21:27:15 +0000 (GMT)
	(envelope-from dholland@www.linux.org.uk)
Received: from dholland by www.linux.org.uk with local (Exim 4.33)
	id 1BmJBb-00035H-P5; Sun, 18 Jul 2004 22:27:07 +0100
To: marques@displague.com (Marques Johansson)
Date: Sun, 18 Jul 2004 22:27:07 +0100 (BST)
In-Reply-To: <40F75AAE.5040806@displague.com> from "Marques Johansson" at Jul
	16, 2004 12:33:50 AM
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <E1BmJBb-00035H-P5@www.linux.org.uk>
From: "David A. Holland" <dholland@www.linux.org.uk>
cc: ports@FreeBSD.org
cc: netbug@ftp.uk.linux.org
Subject: Re: patch for SSLtelnet vulnerability (CAN-2004-0640)
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Jul 2004 21:27:15 -0000

 > Apologies in advance for not being familiar with FreeBSD's patch/ports 
 > system. As far as I can tell, SSLtelnet, is depricated on FreeBSD. Even 
 > so, I would like to offer the following patch to fix the vulnerability 
 > described in CAN-2004-0640:
 > 
 > 00_CAN-2004-0640-1.patch
 > < patch >
 > --- telnetd/telnetd.c.orig      2004-07-13 02:58:01.000000000 -0400
 > +++ telnetd/telnetd.c   2004-07-13 03:27:23.000000000 -0400
 > @@ -520,7 +520,7 @@
 >                 sprintf(errbuf,"SSL_accept error %s\n",
 >                     ERR_error_string(ERR_get_error(),NULL));
 > 
 > -               syslog(LOG_WARNING, errbuf);
 > +               syslog(LOG_WARNING, "%.500s", errbuf);
 > 
 >                 BIO_printf(bio_err,errbuf);
 > 
 > < /patch >
 > 
 > Thanks.  I am CC'ing this patch to the netkit maintainer email
 > given in the package.  I have already given this information to the
 > Debian maintainer.  OpenBSD, NetBSD, & Redhat appear not to use
 > telnetd with SSL support.  They favor use of "openssl s_client
 > -connect host:port".

Hi, 

netkit-telnet's telnetd does not have this code. (SSL telnet is not
itself part of netkit, though it might be derived from the netkit
telnetd.)

I'd be more worried about the sprintf call I see in the patch context;
that one looks like it's likely harmless, but if there's one there's
probably more.

The legacy telnetd source all these things are derived from is evil
and fundamentally insecure; I'd encourage anyone interested in having
an SSL-enabled telnetd to do the world a service and write new
telnetd code from scratch.

-- 
David A. Holland       dholland@ftp.uk.linux.org
NetKit Maintenance     netbug@ftp.uk.linux.org
(if in doubt, use the netkit-0.18 pre1 snap, not 0.17; I haven't had
time to do a new snap, much less a release, and won't for a while)