From owner-freebsd-ports@FreeBSD.ORG  Fri Jul 16 04:34:05 2004
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 792AE16A4CF
	for <ports@FreeBSD.org>; Fri, 16 Jul 2004 04:34:05 +0000 (GMT)
Received: from poe.websilo.com (crossledge.lhhost.com [63.87.231.143])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E9E7443D1D
	for <ports@FreeBSD.org>; Fri, 16 Jul 2004 04:34:00 +0000 (GMT)
	(envelope-from marques@displague.com)
Received: from pcp09527512pcs.maysld01.nj.comcast.net ([68.45.247.239]
	helo=[192.168.102.10])
	by poe.websilo.com with asmtp (TLS-1.0:DHE_RSA_AES_128_CBC_SHA:16)
	(Exim 4.32)	id 1BlKR7-0001gP-3k; Fri, 16 Jul 2004 00:35:05 -0400
Message-ID: <40F75AAE.5040806@displague.com>
Date: Fri, 16 Jul 2004 00:33:50 -0400
From: Marques Johansson <marques@displague.com>
User-Agent: Mozilla Thunderbird 0.7.1 (X11/20040708)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: ports@FreeBSD.org, netbug@ftp.uk.linux.org
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
	micalg=sha1; boundary="------------ms080907090009040706030600"
X-Spam-Status: No, (Authenticated User: )
Subject: patch for SSLtelnet vulnerability (CAN-2004-0640)
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jul 2004 04:34:05 -0000

This is a cryptographically signed message in MIME format.

--------------ms080907090009040706030600
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Apologies in advance for not being familiar with FreeBSD's patch/ports 
system. As far as I can tell, SSLtelnet, is depricated on FreeBSD. Even 
so, I would like to offer the following patch to fix the vulnerability 
described in CAN-2004-0640:

00_CAN-2004-0640-1.patch
< patch >
--- telnetd/telnetd.c.orig      2004-07-13 02:58:01.000000000 -0400
+++ telnetd/telnetd.c   2004-07-13 03:27:23.000000000 -0400
@@ -520,7 +520,7 @@
                sprintf(errbuf,"SSL_accept error %s\n",
                    ERR_error_string(ERR_get_error(),NULL));

-               syslog(LOG_WARNING, errbuf);
+               syslog(LOG_WARNING, "%.500s", errbuf);

                BIO_printf(bio_err,errbuf);

< /patch >

Thanks.  I am CC'ing this patch to the netkit maintainer email given in the package.  I have already given this information to the Debian maintainer.  OpenBSD, NetBSD, & Redhat appear not to use telnetd with SSL support.  They favor use of "openssl s_client -connect host:port".

-- 
  Marques Johansson
 marques@displague.com


--------------ms080907090009040706030600
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGfjCC
AzswggKkAgECMA0GCSqGSIb3DQEBBAUAMIGWMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkox
ETAPBgNVBAcTCENhcnRhcmV0MREwDwYDVQQKEwhXZWIgU2lsbzEUMBIGA1UECxMLRGV2ZWxv
cG1lbnQxGDAWBgNVBAMTD3BvZS53ZWJzaWxvLmNvbTEkMCIGCSqGSIb3DQEJARYVYWRtaW5A
cG9lLndlYnNpbG8uY29tMB4XDTA0MDcxMDE3NTYxOVoXDTA1MDcxMDE3NTYxOVowgbAxCzAJ
BgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRgwFgYDVQQHEw9FZ2cgSGFyYm9yIENp
dHkxETAPBgNVBAoTCFdlYiBTaWxvMR0wGwYDVQQLExRQZXJzb25hbCBDZXJ0aWZpY2F0ZTEa
MBgGA1UEAxMRTWFycXVlcyBKb2hhbnNzb24xJDAiBgkqhkiG9w0BCQEWFW1hcnF1ZXNAZGlz
cGxhZ3VlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALDD3hsi31Usjcdw
Gm5/5xdM7ww1+cMevKJZJlVTvn+0zyn6wo3515tRVdOu+MJPaKdqpxHWNAFVB06Ar/FwDsEm
Us3qG52GhmxBlgOkGtoQQhtgdrBR9ihUVhQgj9WzTMrzu345/TUL7eIIlwG+Wc5BgP5KmQo0
wFF/bl/GgLzLcnC2TqKs6WhHLBtZncg9qpGUwdOqPBwi9wRTgvoHeR/122axwMZAaYumpWTX
WbaiyD96noGrTfewmSpsrRCHnkNwF9Zmrd17zwEUTSiGvwmhja8a0UWV6QLfx2NuqX6mxcpc
K5s6bvzt8do7/8Ut4pNKX4tcuPttcrFKkcpLf7sCAwEAATANBgkqhkiG9w0BAQQFAAOBgQAP
GOfpPWlfJ8AFjyFoAIdnN1gBRdvon3FNSPLUrrSHBWvY3iN3HN6osZq9b2KAefkT3iyve7gG
6H7mnu26aSk4pQnLi4o9vZLCPE5HJ4LaKLZBmEoPgxyr3hoGKVc+E/jFwfUhOwcq8jaHSANR
a4Zi+HOcRXgkLTQXu13HCsAZfTCCAzswggKkAgECMA0GCSqGSIb3DQEBBAUAMIGWMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCTkoxETAPBgNVBAcTCENhcnRhcmV0MREwDwYDVQQKEwhXZWIg
U2lsbzEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxGDAWBgNVBAMTD3BvZS53ZWJzaWxvLmNvbTEk
MCIGCSqGSIb3DQEJARYVYWRtaW5AcG9lLndlYnNpbG8uY29tMB4XDTA0MDcxMDE3NTYxOVoX
DTA1MDcxMDE3NTYxOVowgbAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRgw
FgYDVQQHEw9FZ2cgSGFyYm9yIENpdHkxETAPBgNVBAoTCFdlYiBTaWxvMR0wGwYDVQQLExRQ
ZXJzb25hbCBDZXJ0aWZpY2F0ZTEaMBgGA1UEAxMRTWFycXVlcyBKb2hhbnNzb24xJDAiBgkq
hkiG9w0BCQEWFW1hcnF1ZXNAZGlzcGxhZ3VlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALDD3hsi31UsjcdwGm5/5xdM7ww1+cMevKJZJlVTvn+0zyn6wo3515tRVdOu
+MJPaKdqpxHWNAFVB06Ar/FwDsEmUs3qG52GhmxBlgOkGtoQQhtgdrBR9ihUVhQgj9WzTMrz
u345/TUL7eIIlwG+Wc5BgP5KmQo0wFF/bl/GgLzLcnC2TqKs6WhHLBtZncg9qpGUwdOqPBwi
9wRTgvoHeR/122axwMZAaYumpWTXWbaiyD96noGrTfewmSpsrRCHnkNwF9Zmrd17zwEUTSiG
vwmhja8a0UWV6QLfx2NuqX6mxcpcK5s6bvzt8do7/8Ut4pNKX4tcuPttcrFKkcpLf7sCAwEA
ATANBgkqhkiG9w0BAQQFAAOBgQAPGOfpPWlfJ8AFjyFoAIdnN1gBRdvon3FNSPLUrrSHBWvY
3iN3HN6osZq9b2KAefkT3iyve7gG6H7mnu26aSk4pQnLi4o9vZLCPE5HJ4LaKLZBmEoPgxyr
3hoGKVc+E/jFwfUhOwcq8jaHSANRa4Zi+HOcRXgkLTQXu13HCsAZfTGCA9swggPXAgEBMIGc
MIGWMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkoxETAPBgNVBAcTCENhcnRhcmV0MREwDwYD
VQQKEwhXZWIgU2lsbzEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxGDAWBgNVBAMTD3BvZS53ZWJz
aWxvLmNvbTEkMCIGCSqGSIb3DQEJARYVYWRtaW5AcG9lLndlYnNpbG8uY29tAgECMAkGBSsO
AwIaBQCgggITMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA0
MDcxNjA0MzM1MFowIwYJKoZIhvcNAQkEMRYEFPmeNa3vLeeQQolmQnyH1wXHGtwuMFIGCSqG
SIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFA
MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGtBgkrBgEEAYI3EAQxgZ8wgZwwgZYxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJOSjERMA8GA1UEBxMIQ2FydGFyZXQxETAPBgNVBAoTCFdlYiBT
aWxvMRQwEgYDVQQLEwtEZXZlbG9wbWVudDEYMBYGA1UEAxMPcG9lLndlYnNpbG8uY29tMSQw
IgYJKoZIhvcNAQkBFhVhZG1pbkBwb2Uud2Vic2lsby5jb20CAQIwga8GCyqGSIb3DQEJEAIL
MYGfoIGcMIGWMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkoxETAPBgNVBAcTCENhcnRhcmV0
MREwDwYDVQQKEwhXZWIgU2lsbzEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxGDAWBgNVBAMTD3Bv
ZS53ZWJzaWxvLmNvbTEkMCIGCSqGSIb3DQEJARYVYWRtaW5AcG9lLndlYnNpbG8uY29tAgEC
MA0GCSqGSIb3DQEBAQUABIIBAFt9Dp65OS7kHzNhTdOnE0Ptfwsx0nsxtz4VgTmjRO0arseK
JLkrfSnW5BSkxtzX7cw8SrgQIeQHuSFCDqZw3ouT+mkjxkAYK4lP7dV+TEb+VSd5N8ErAcVU
ALFZs2V7RqakvpwG19OiBmlCFl9MDzgx6pkQ+Q1OOPpa3yJ1wMQKsmP53kWye17AIEmyolla
4A9ntTELFQpBTtTWMFXScRqQpNIgvq5c0EoH5l9SfTqa2ihC9Mx1FwnH81gDl7+J5uNU13W2
f5bUMS1SiBEfJVA4xs1AqtJacnIlRGERpziq3auetLuiw5Vcni3JhO3MaxGtMUwfVnzxT66D
gf+rF5wAAAAAAAA=
--------------ms080907090009040706030600--