From owner-freebsd-security@FreeBSD.ORG Mon Mar 28 04:05:12 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 26BDF16A4CE; Mon, 28 Mar 2005 04:05:12 +0000 (GMT) Received: from komquats.com (S0106002078125c0c.gv.shawcable.net [24.108.146.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id 947B243D4C; Mon, 28 Mar 2005 04:05:11 +0000 (GMT) (envelope-from Cy.Schubert@komquats.com) Received: from cwsys.cwsent.com (cwsys [10.1.1.1]) by komquats.com (Postfix) with ESMTP id CA37A4C5EF; Sun, 27 Mar 2005 20:05:10 -0800 (PST) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.13.3/8.13.3) with ESMTP id j2S45A77069852; Sun, 27 Mar 2005 20:05:10 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Message-Id: <200503280405.j2S45A77069852@cwsys.cwsent.com> X-Mailer: exmh version 2.7.0 06/18/2004 with nmh-1.0.4 From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.komquats.com/ To: freebsd-ports@freebsd.org, freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 27 Mar 2005 20:05:10 -0800 Sender: Cy.Schubert@komquats.com Subject: New MIT KRB5 Port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Cy Schubert List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2005 04:05:12 -0000 While the ports freeze is still in effect, I have a new MIT KRB5-1.4 port ready for commit. Anyone willing to use this preview version of the port or test it is welcome to use it. I've put it at http://komquats.com/ports/krb5- 1.4.tar.bz2. If you have any problems or issues with it, just send me an email. Cheers, Cy Schubert Web: http://www.komquats.com and http://www.bcbodybuilder.com FreeBSD UNIX: Web: http://www.FreeBSD.org BC Government: "Lift long enough and I believe arrogance is replaced by humility and fear by courage and selfishness by generosity and rudeness by compassion and caring." -- Dave Draper From owner-freebsd-security@FreeBSD.ORG Mon Mar 28 19:52:16 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 635BA16A4CE; Mon, 28 Mar 2005 19:52:16 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB6D743D3F; Mon, 28 Mar 2005 19:52:14 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j2SJqEPA041126; Mon, 28 Mar 2005 19:52:14 GMT (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j2SJqEom041124; Mon, 28 Mar 2005 19:52:14 GMT (envelope-from security-advisories@freebsd.org) Date: Mon, 28 Mar 2005 19:52:14 GMT Message-Id: <200503281952.j2SJqEom041124@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2005 19:52:16 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:01.telnet Security Advisory The FreeBSD Project Topic: telnet client buffer overflows Category: contrib Module: contrib/telnet Announced: 2005-03-28 Credits: iDEFENSE Affects: All FreeBSD releases prior to 5.4-RELEASE Corrected: 2005-03-28 15:50:00 UTC (RELENG_5, 5.4-PRERELEASE) 2005-03-28 15:48:00 UTC (RELENG_4, 4.11-STABLE) 2005-03-28 15:52:00 UTC (RELENG_5_3, 5.3-RELEASE-p6) 2005-03-28 15:57:00 UTC (RELENG_4_11, 4.11-RELEASE-p1) 2005-03-28 15:58:00 UTC (RELENG_4_10, 4.10-RELEASE-p6) 2005-03-28 16:00:00 UTC (RELENG_4_8, 4.8-RELEASE-p28) CVE Name: CAN-2005-0468 CAN-2005-0469 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The telnet(1) command is a TELNET protocol client, used primarily to establish terminal sessions across a network. II. Problem Description Buffer overflows were discovered in the env_opt_add() and slc_add_reply() functions of the telnet(1) command. TELNET protocol commands, options, and data are copied from the network to a fixed-sized buffer. In the case of env_opt_add (CAN-2005-0468), the buffer is located on the heap. In the case of slc_add_reply (CAN-2005-0469), the buffer is global uninitialized data (BSS). III. Impact These buffer overflows may be triggered when connecting to a malicious server, or by an active attacker in the network path between the client and server. Specially crafted TELNET command sequences may cause the execution of arbitrary code with the privileges of the user invoking telnet(1). IV. Workaround Do not use telnet(1) to connect to untrusted machines or over an untrusted network. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_3, RELENG_4_11, RELENG_4_10, or RELENG_4_8 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.8, 4.10, 4.11, and 5.3 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:01/telnet4.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:01/telnet4.patch.asc [FreeBSD 5.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:01/telnet5.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:01/telnet5.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Rebuild the operating system as described in . VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/crypto/heimdal/appl/telnet/telnet/telnet.c 1.1.1.1.2.4 src/crypto/kerberosIV/appl/telnet/telnet/telnet.c 1.1.1.1.2.1 src/crypto/telnet/telnet/telnet.c 1.4.2.6 src/usr.bin/telnet/telnet.c 1.8.2.4 RELENG_4_11 src/UPDATING 1.73.2.91.2.2 src/crypto/heimdal/appl/telnet/telnet/telnet.c 1.1.1.1.2.3.10.1 src/crypto/kerberosIV/appl/telnet/telnet/telnet.c 1.1.1.1.22.1 src/crypto/telnet/telnet/telnet.c 1.4.2.5.12.1 src/sys/conf/newvers.sh 1.44.2.39.2.5 src/usr.bin/telnet/telnet.c 1.8.2.3.12.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.7 src/crypto/heimdal/appl/telnet/telnet/telnet.c 1.1.1.1.2.3.8.1 src/crypto/kerberosIV/appl/telnet/telnet/telnet.c 1.1.1.1.20.1 src/crypto/telnet/telnet/telnet.c 1.4.2.5.10.1 src/sys/conf/newvers.sh 1.44.2.34.2.8 src/usr.bin/telnet/telnet.c 1.8.2.3.10.1 RELENG_4_8 src/UPDATING 1.73.2.80.2.32 src/crypto/heimdal/appl/telnet/telnet/telnet.c 1.1.1.1.2.3.4.1 src/crypto/kerberosIV/appl/telnet/telnet/telnet.c 1.1.1.1.16.1 src/crypto/telnet/telnet/telnet.c 1.4.2.5.6.1 src/sys/conf/newvers.sh 1.44.2.29.2.29 src/usr.bin/telnet/telnet.c 1.8.2.3.6.1 RELENG_5 src/contrib/telnet/telnet/telnet.c 1.14.6.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.9 src/contrib/telnet/telnet/telnet.c 1.14.8.1 src/sys/conf/newvers.sh 1.62.2.15.2.11 - ------------------------------------------------------------------------- VII. References [IDEF0866] Multiple Telnet Client slc_add_reply() Buffer Overflow http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities [IDEF0867] Multiple Telnet Client env_opt_add() Buffer Overflow http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 iD8DBQFCSECrFdaIBMps37IRAnRJAJ0VbP6TyaX7SLE2EwSrIYU25JSD9wCfYoe9 Qg2Lw/6QFLOgYG1jPuzogEs= =0rFv -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Mar 28 21:24:08 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C997C16A4CE for ; Mon, 28 Mar 2005 21:24:08 +0000 (GMT) Received: from mitch.veggiechinese.net (mitch.veggiechinese.net [66.33.206.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF52943D49 for ; Mon, 28 Mar 2005 21:24:08 +0000 (GMT) (envelope-from freebsd-security@veggiechinese.net) Received: by mitch.veggiechinese.net (Postfix, from userid 1228) id 4E676A3AC; Mon, 28 Mar 2005 13:24:08 -0800 (PST) Date: Mon, 28 Mar 2005 13:24:08 -0800 From: Will Yardley To: freebsd-security@freebsd.org Message-ID: <20050328212408.GC12478@mitch.veggiechinese.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.9i Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2005 21:24:08 -0000 On Mon, Mar 28, 2005 at 07:52:14PM +0000, FreeBSD Security Advisories wrote: [ Not sure else where to follow up to - I don't want to bug the security team directly about this, so just writing the list for now ] > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch On my home machine (5.3-RELEASE) this failed - I had to go to /usr/src/contrib/telnet/telnet for the patch to apply. > c) Rebuild the operating system as described in > . Just curious... why is it necessary to rebuild the whole operating system? Normally, the security advisories just have you rebuild the program in question - wouldn't that have sufficed here? w From owner-freebsd-security@FreeBSD.ORG Mon Mar 28 21:39:47 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C16EF16A4CE for ; Mon, 28 Mar 2005 21:39:47 +0000 (GMT) Received: from pd3mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80F9943D31 for ; Mon, 28 Mar 2005 21:39:47 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd2mr4so.prod.shaw.ca (pd2mr4so-qfe3.prod.shaw.ca [10.0.141.107]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IE300BPK063AGBC@l-daemon> for freebsd-security@freebsd.org; Mon, 28 Mar 2005 14:39:39 -0700 (MST) Received: from pn2ml5so.prod.shaw.ca ([10.0.121.149]) by pd2mr4so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IE3001D6063UU10@pd2mr4so.prod.shaw.ca> for freebsd-security@freebsd.org; Mon, 28 Mar 2005 14:39:39 -0700 (MST) Received: from [192.168.0.60] (S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) freebsd-security@freebsd.org; Mon, 28 Mar 2005 14:39:39 -0700 (MST) Date: Mon, 28 Mar 2005 13:39:29 -0800 From: Colin Percival In-reply-to: <20050328212408.GC12478@mitch.veggiechinese.net> To: Will Yardley Message-id: <42487991.3080409@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Accept-Language: en-us, en X-Enigmail-Version: 0.90.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime References: <20050328212408.GC12478@mitch.veggiechinese.net> User-Agent: Mozilla Thunderbird 1.0 (X11/20050314) cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2005 21:39:47 -0000 Will Yardley wrote: >>b) Execute the following commands as root: >> >># cd /usr/src >># patch < /path/to/patch > > On my home machine (5.3-RELEASE) this failed - I had to go to > /usr/src/contrib/telnet/telnet for the patch to apply. Somehow the patch wasn't generated correctly for FreeBSD 5.x. It should be fixed soon; but what you've done works for now. >>c) Rebuild the operating system as described in >>. > > Just curious... why is it necessary to rebuild the whole operating > system? Normally, the security advisories just have you rebuild the > program in question - wouldn't that have sufficed here? For historical reasons, the telnet build is rather messy: Depending upon which options you have set in /etc/make.conf, telnet might need to be rebuilt from one of four different directories. We decided that having everybody run "make buildworld" was far less prone to error than trying to explain which particular version of telnet each system would need to have rebuilt. Colin Percival From owner-freebsd-security@FreeBSD.ORG Mon Mar 28 21:40:15 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D417B16A4CE; Mon, 28 Mar 2005 21:40:15 +0000 (GMT) Received: from zaphod.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id C5E6343D46; Mon, 28 Mar 2005 21:40:14 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 57F521210B; Mon, 28 Mar 2005 23:40:13 +0200 (CEST) Date: Mon, 28 Mar 2005 23:40:12 +0200 From: "Simon L. Nielsen" To: Will Yardley Message-ID: <20050328214011.GB7306@zaphod.nitro.dk> References: <20050328212408.GC12478@mitch.veggiechinese.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="kORqDWCi7qDJ0mEj" Content-Disposition: inline In-Reply-To: <20050328212408.GC12478@mitch.veggiechinese.net> User-Agent: Mutt/1.5.9i cc: "Jacques A. Vidrine" cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2005 21:40:16 -0000 --kORqDWCi7qDJ0mEj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.03.28 13:24:08 -0800, Will Yardley wrote: > On Mon, Mar 28, 2005 at 07:52:14PM +0000, FreeBSD Security Advisories wro= te: >=20 > [ Not sure else where to follow up to - I don't want to bug the security > team directly about this, so just writing the list for now ] In general it's fine to bug the security team directly of stuff like this, but we also do read freebsd-security@ :-). > > b) Execute the following commands as root: > >=20 > > # cd /usr/src > > # patch < /path/to/patch >=20 > On my home machine (5.3-RELEASE) this failed - I had to go to=20 > /usr/src/contrib/telnet/telnet for the patch to apply. Indeed, looks like the FreeBSD 5 patch is an "old" version since that should have been fixed. I just CC'ed nectar so this can be fixed ASAP. > > c) Rebuild the operating system as described in > > . >=20 > Just curious... why is it necessary to rebuild the whole operating > system? Normally, the security advisories just have you rebuild the > program in question - wouldn't that have sufficed here? Due to multiple telnet versions (especially in FreeBSD 4) it was judged that including more specific build instructions for all the possible combinations of telnet and build options gave to high a risk for errors possibly resulting in users not actually getting telnet rebuild correctly. --=20 Simon L. Nielsen --kORqDWCi7qDJ0mEj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCSHm7h9pcDSc1mlERAjJgAJsHrM3QMs1DLJ0HE32DEM9RBqX0/QCfc6ns xMi2Hyv9ygzFzSZCSzdseZU= =9ykX -----END PGP SIGNATURE----- --kORqDWCi7qDJ0mEj-- From owner-freebsd-security@FreeBSD.ORG Mon Mar 28 22:00:50 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08D4E16A4CE; Mon, 28 Mar 2005 22:00:50 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id A20AB43D46; Mon, 28 Mar 2005 22:00:49 +0000 (GMT) (envelope-from nectar@FreeBSD.org) Received: from gw.celabo.org (localhost [127.0.0.1]) by internal.gw.celabo.org (Postfix) with ESMTP id CB5833E2C28; Mon, 28 Mar 2005 16:00:44 -0600 (CST) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id BC05C3E2C26; Mon, 28 Mar 2005 16:00:44 -0600 (CST) Received: from [127.0.0.1] (localhost [127.0.0.1]) by lum.celabo.org (Postfix) with ESMTP id EEA666AAEDE; Mon, 28 Mar 2005 16:00:43 -0600 (CST) Message-ID: <42487E8B.9030604@FreeBSD.org> Date: Mon, 28 Mar 2005 16:00:43 -0600 From: Jacques Vidrine Organization: The FreeBSD Project User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041206 Thunderbird/1.0 Mnenhy/0.7.1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Simon L. Nielsen" References: <20050328212408.GC12478@mitch.veggiechinese.net> <20050328214011.GB7306@zaphod.nitro.dk> In-Reply-To: <20050328214011.GB7306@zaphod.nitro.dk> X-Enigmail-Version: 0.89.5.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on hellblazer.celabo.org X-Spam-Level: X-Spam-Status: No, score=-5.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.2 cc: freebsd-security@freebsd.org cc: Will Yardley Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2005 22:00:50 -0000 On 3/28/05 3:40 PM, Simon L. Nielsen wrote: > Indeed, looks like the FreeBSD 5 patch is an "old" version since that > should have been fixed. I just CC'ed nectar so this can be fixed > ASAP. Oops, sorry folks. I've re-uploaded the patch to the master FTP server, and it should propagate to others soon. > Due to multiple telnet versions (especially in FreeBSD 4) it was > judged that including more specific build instructions for all the > possible combinations of telnet and build options gave to high a risk > for errors possibly resulting in users not actually getting telnet > rebuild correctly. That's right. For 5.x, it is fairly straightforward: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libtelnet # make obj && make depend && make # cd /usr/src/usr.bin/telnet # make obj && make depend && make && make install But 4.x has no less than four possible telnet clients that might be installed depending upon local settings of NOCRYPT, MAKE_KERBEROS4, MAKE_KERBEROS5, and probably others :-/ Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From owner-freebsd-security@FreeBSD.ORG Mon Mar 28 22:21:42 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52CB316A4CE; Mon, 28 Mar 2005 22:21:42 +0000 (GMT) Received: from utahime.as.wakwak.ne.jp (utahime.as.wakwak.ne.jp [61.205.238.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E6DA43D3F; Mon, 28 Mar 2005 22:21:41 +0000 (GMT) (envelope-from yasu@utahime.org) Received: from eastasia.home.utahime.org (eastasia.home.utahime.org [192.168.174.1]) by utahime.as.wakwak.ne.jp (Postfix) with ESMTP id BB303B837; Tue, 29 Mar 2005 07:21:37 +0900 (JST) Received: from localhost.home.utahime.org (localhost.home.utahime.org [127.0.0.1])8220D54C2; Tue, 29 Mar 2005 07:21:37 +0900 (JST) Received: from eastasia.home.utahime.org (localhost.home.utahime.org [127.0.0.1])83946-5878A7BB; Tue, 29 Mar 2005 07:21:37 +0900 Received: from localhost (angel.home.utahime.org [192.168.174.4]) by eastasia.home.utahime.org (Postfix) with ESMTP id 4D88854A2; Tue, 29 Mar 2005 07:21:37 +0900 (JST) Date: Tue, 29 Mar 2005 07:21:35 +0900 (JST) Message-Id: <20050329.072135.17411324.yasu@utahime.org> To: nectar@FreeBSD.org From: KIMURA Yasuhiro In-Reply-To: <42487E8B.9030604@FreeBSD.org> References: <20050328212408.GC12478@mitch.veggiechinese.net> <20050328214011.GB7306@zaphod.nitro.dk> <42487E8B.9030604@FreeBSD.org> X-Mailer: Mew version 4.2.50 on Emacs 21.4 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-AntiVirus: checked by AntiVir MailGate (version: 2.0.2-14; AVE: 6.30.0.7; VDF: 6.30.0.51; host: eastasia.home.utahime.org) cc: freebsd-security@freebsd.org cc: freebsd-security@veggiechinese.net cc: simon@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2005 22:21:42 -0000 From: Jacques Vidrine Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet Date: Mon, 28 Mar 2005 16:00:43 -0600 > > Due to multiple telnet versions (especially in FreeBSD 4) it was > > judged that including more specific build instructions for all the > > possible combinations of telnet and build options gave to high a risk > > for errors possibly resulting in users not actually getting telnet > > rebuild correctly. > > That's right. For 5.x, it is fairly straightforward: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/lib/libtelnet > # make obj && make depend && make > # cd /usr/src/usr.bin/telnet > # make obj && make depend && make && make install > > But 4.x has no less than four possible telnet clients that might be > installed depending upon local settings of NOCRYPT, MAKE_KERBEROS4, > MAKE_KERBEROS5, and probably others :-/ Does it also get simple on 4.x if there is no /etc/make.conf? --- KIMURA Yasuhiro Mail: yasu@utahime.org WWW: http://www.utahime.org/ From owner-freebsd-security@FreeBSD.ORG Tue Mar 29 06:19:58 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3851316A4CE; Tue, 29 Mar 2005 06:19:58 +0000 (GMT) Received: from mail.bitfreak.org (mail.bitfreak.org [65.75.198.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id C959E43D2F; Tue, 29 Mar 2005 06:19:57 +0000 (GMT) (envelope-from dmp@bitfreak.org) Received: from Spud6000 (mail.bitfreak.org [65.75.198.146]) by mail.bitfreak.org (Postfix) with ESMTP id 6685D19F2C; Mon, 28 Mar 2005 22:25:48 -0800 (PST) From: "Darren Pilgrim" To: "'Colin Percival'" Date: Mon, 28 Mar 2005 22:19:46 -0800 Message-ID: <000a01c53427$517fb520$142a15ac@Spud6000> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <42487991.3080409@freebsd.org> Importance: Normal cc: freebsd-security@freebsd.org Subject: RE: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2005 06:19:58 -0000 Colin Percival wrote: > Will Yardley wrote: > > > > Normally, the security advisories just have you rebuild the > > program in question - wouldn't that have sufficed here? > > For historical reasons, the telnet build is rather messy: Depending > upon which options you have set in /etc/make.conf, telnet might need > to be rebuilt from one of four different directories. You mean, there isn't a cushy Makefile somewhere with a target to automatically choose the correct version to build based on the contents of /etc/make.conf? *gasp* Horrors! Scary. Methinks I've gotten soft in a FreeBSD world where you can do anything you want as long as you know the appropriate target. :) From owner-freebsd-security@FreeBSD.ORG Mon Mar 28 21:30:44 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFF6B16A4CE for ; Mon, 28 Mar 2005 21:30:44 +0000 (GMT) Received: from mail.rulez.sk (DaEmoN.RuLeZ.sK [84.16.32.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id EDBA843D5D for ; Mon, 28 Mar 2005 21:30:43 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from localhost (localhost [127.0.0.1]) by mail.rulez.sk (Postfix) with ESMTP id 0C1A74505B; Mon, 28 Mar 2005 23:30:43 +0200 (CEST) Received: from danger.mcrn.sk (danger.mcrn.sk [84.16.37.254]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.rulez.sk (Postfix) with ESMTP id D38704501F; Mon, 28 Mar 2005 23:30:33 +0200 (CEST) Date: Mon, 28 Mar 2005 23:39:30 +0200 From: Daniel Gerzo X-Priority: 3 (Normal) Message-ID: <1642988369.20050328233930@rulez.sk> To: Will Yardley , freebsd-security@freebsd.org In-Reply-To: <20050328212408.GC12478@mitch.veggiechinese.net> References: <20050328212408.GC12478@mitch.veggiechinese.net> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="----------FE12A9C205032E4" X-Virus-Scanned: by amavisd-new at mail.rulez.sk X-Spam-Status: No, hits=-4.589 tagged_above=-999 required=5 tests=ALL_TRUSTED, AWL, BAYES_00, PRIORITY_NO_NAME X-Spam-Level: X-Mailman-Approved-At: Tue, 29 Mar 2005 14:05:14 +0000 X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Re[2]: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Daniel Gerzo List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2005 21:30:44 -0000 This is a cryptographically signed message in MIME format. ------------FE12A9C205032E4 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Hey Will, Monday, March 28, 2005, 11:24:08 PM, si napisal: > On Mon, Mar 28, 2005 at 07:52:14PM +0000, FreeBSD Security Advisories wro= te: > [ Not sure else where to follow up to - I don't want to bug the security > team directly about this, so just writing the list for now ] >> b) Execute the following commands as root: >>=20 >> # cd /usr/src >> # patch < /path/to/patch > On my home machine (5.3-RELEASE) this failed - I had to go to=20 > /usr/src/contrib/telnet/telnet for the patch to apply. >> c) Rebuild the operating system as described in >> . > Just curious... why is it necessary to rebuild the whole operating > system? Normally, the security advisories just have you rebuild the > program in question - wouldn't that have sufficed here? I think, this might be enought: =20 cd /usr/src/usr.bin/telnet ; make clean && make all install but I don't exactly know, if this is really correct way how to do it.. > w --=20 R.I.P. +----------=3D=3D/\/\=3D=3D----------+ (__) FreeBSD | DanGer | \\\'',) The | DanGer@IRCnet ICQ261701668 | \/ \ ^ Power | http://danger.rulez.sk | .\._/_) To +----------=3D=3D\/\/=3D=3D----------+ Serve ------------FE12A9C205032E4-- From owner-freebsd-security@FreeBSD.ORG Tue Mar 29 22:58:36 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB09A16A4CE for ; Tue, 29 Mar 2005 22:58:36 +0000 (GMT) Received: from rwcrmhc14.comcast.net (rwcrmhc14.comcast.net [216.148.227.89]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFC9B43D5C for ; Tue, 29 Mar 2005 22:58:36 +0000 (GMT) (envelope-from dougb@freebsd.org) Received: from [192.0.35.182] (g35-182.icann.org[192.0.35.182]) by comcast.net (rwcrmhc14) with ESMTP id <20050329225835014009p7coe>; Tue, 29 Mar 2005 22:58:36 +0000 Message-ID: <4249DD96.5070802@FreeBSD.org> Date: Tue, 29 Mar 2005 14:58:30 -0800 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Daniel Gerzo References: <20050328212408.GC12478@mitch.veggiechinese.net> <1642988369.20050328233930@rulez.sk> In-Reply-To: <1642988369.20050328233930@rulez.sk> X-Enigmail-Version: 0.90.2.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org cc: Will Yardley Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2005 22:58:37 -0000 Daniel Gerzo wrote: > I think, this might be enought: > > cd /usr/src/usr.bin/telnet ; make clean && make all install > > but I don't exactly know, if this is really correct way how to do > it.. With all due respect, if you don't KNOW the answer to an absolute certainty, you shouldn't offer advice on security matters. The people who do know the answer have already given their suggestion, and while rebuilding the system may SEEM like overkill, it is the best way to handle this situation. This thread really needs to die. Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Wed Mar 30 10:54:23 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC88B16A4CE for ; Wed, 30 Mar 2005 10:54:23 +0000 (GMT) Received: from fafula.com (wj118.internetdsl.tpnet.pl [80.55.191.118]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EEA343D1D for ; Wed, 30 Mar 2005 10:54:23 +0000 (GMT) (envelope-from alex@fafula.com) Received: by fafula.com (Postfix, from userid 1001) id 5F3FF46C3; Wed, 30 Mar 2005 12:00:07 +0000 (UTC) Date: Wed, 30 Mar 2005 12:00:07 +0000 From: Aleksander Fafula To: freebsd-security@freebsd.org Message-ID: <20050330120007.GA57895@fafula.com> References: <42487991.3080409@freebsd.org> <000a01c53427$517fb520$142a15ac@Spud6000> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline In-Reply-To: <000a01c53427$517fb520$142a15ac@Spud6000> User-Agent: Mutt/1.4.2.1i Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2005 10:54:23 -0000 Hello. Maybe not very important but is the field "FreeBSD only:" depreciated or not mentioned accidentally (in this and previous SA)? Regards, oleczek -- Still looking for the last digit of pi... From owner-freebsd-security@FreeBSD.ORG Wed Mar 30 11:07:22 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 60BFF16A4CE for ; Wed, 30 Mar 2005 11:07:22 +0000 (GMT) Received: from pd2mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E9AF43D1F for ; Wed, 30 Mar 2005 11:07:22 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd2mr2so.prod.shaw.ca (pd2mr2so-qfe3.prod.shaw.ca [10.0.141.109]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IE500FQRW895LE0@l-daemon> for freebsd-security@freebsd.org; Wed, 30 Mar 2005 04:07:21 -0700 (MST) Received: from pn2ml5so.prod.shaw.ca ([10.0.121.149]) by pd2mr2so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IE5007PQW89R1E0@pd2mr2so.prod.shaw.ca> for freebsd-security@freebsd.org; Wed, 30 Mar 2005 04:07:21 -0700 (MST) Received: from [192.168.0.60] (S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) freebsd-security@freebsd.org; Wed, 30 Mar 2005 04:07:21 -0700 (MST) Date: Wed, 30 Mar 2005 03:07:11 -0800 From: Colin Percival In-reply-to: <20050330120007.GA57895@fafula.com> To: Aleksander Fafula Message-id: <424A885F.902@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-2 Content-transfer-encoding: 7bit X-Accept-Language: en-us, en X-Enigmail-Version: 0.90.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime References: <42487991.3080409@freebsd.org> <000a01c53427$517fb520$142a15ac@Spud6000> <20050330120007.GA57895@fafula.com> User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050326) cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2005 11:07:22 -0000 Aleksander Fafula wrote: > Maybe not very important but is the field "FreeBSD only:" depreciated > or not mentioned accidentally (in this and previous SA)? We decided that since almost all FreeBSD code is shared with other systems (most notably, DragonFlyBSD), there wasn't much point in keeping this field. The task of identifying all the different systems affected by any particular bug is best left to CVE, so we confine ourselves to identifying where the problem exists in our tree (e.g., is it contrib code or not?) and listing the CVE name so that people can look up other affected systems if they wish. Colin Percival From owner-freebsd-security@FreeBSD.ORG Thu Mar 31 19:21:06 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F38516A4CE for ; Thu, 31 Mar 2005 19:21:06 +0000 (GMT) Received: from borg.juniper.net (borg.juniper.net [207.17.137.119]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AE0743D31 for ; Thu, 31 Mar 2005 19:21:06 +0000 (GMT) (envelope-from stevek@juniper.net) Received: from unknown (HELO beta.jnpr.net) (172.24.18.109) by borg.juniper.net with ESMTP; 31 Mar 2005 11:21:06 -0800 X-BrightmailFiltered: true X-Brightmail-Tracker: AAAAAA== X-IronPort-AV: i="3.91,138,1110182400"; d="scan'208"; a="246194384:sNHT19317572" Received: from stevek-bsd.jnpr.net ([172.25.41.27]) by beta.jnpr.net with Microsoft SMTPSVC(6.0.3790.211); Thu, 31 Mar 2005 11:21:04 -0800 From: Steve Kiernan To: freebsd-security@freebsd.org Content-Type: text/plain Organization: Juniper Networks Inc. Date: Thu, 31 Mar 2005 14:20:55 -0500 Message-Id: <1112296855.8421.64.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 31 Mar 2005 19:21:05.0286 (UTC) FILETIME=[C8A54A60:01C53626] Subject: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Mar 2005 19:21:06 -0000 I was looking at this patch, but there seems to be an error in it: unsigned char slc_reply[128]; +unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)]; unsigned char *slc_replyp; Should the value for slc_reply_eom not be this instead? unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply) - 1]; Considering the conditionals are the following: + if (&slc_replyp[6+2] > slc_reply_eom) + return; .. and .. + /* The end of negotiation command requires 2 bytes. */ + if (&slc_replyp[2] > slc_reply_eom) + return; If you don't subtract 1 from the sizeof(slc_reply) or change the conditional operators to >=, then you could try to write one byte past the end of the buffer. -- Steve Kiernan Juniper Networks From owner-freebsd-security@FreeBSD.ORG Thu Mar 31 22:37:11 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4059216A4CE for ; Thu, 31 Mar 2005 22:37:11 +0000 (GMT) Received: from pd3mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id DFA8B43D39 for ; Thu, 31 Mar 2005 22:37:10 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd5mr7so.prod.shaw.ca (pd5mr7so-qfe3.prod.shaw.ca [10.0.141.183]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IE800BNTMTVAGJK@l-daemon> for freebsd-security@freebsd.org; Thu, 31 Mar 2005 15:37:07 -0700 (MST) Received: from pn2ml1so.prod.shaw.ca ([10.0.121.145]) by pd5mr7so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IE8002V5MTV1RI0@pd5mr7so.prod.shaw.ca> for freebsd-security@freebsd.org; Thu, 31 Mar 2005 15:37:07 -0700 (MST) Received: from [192.168.0.60] (S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) freebsd-security@freebsd.org; Thu, 31 Mar 2005 15:37:07 -0700 (MST) Date: Thu, 31 Mar 2005 14:36:56 -0800 From: Colin Percival In-reply-to: <1112296855.8421.64.camel@localhost> To: Steve Kiernan Message-id: <424C7B88.9030605@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Accept-Language: en-us, en X-Enigmail-Version: 0.90.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime References: <1112296855.8421.64.camel@localhost> User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050326) cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Mar 2005 22:37:11 -0000 Steve Kiernan wrote: > I was looking at this patch, but there seems to be an error in it: > > unsigned char slc_reply[128]; > +unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)]; > unsigned char *slc_replyp; > > Should the value for slc_reply_eom not be this instead? > > unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply) - 1]; No. > Considering the conditionals are the following: > > + if (&slc_replyp[6+2] > slc_reply_eom) > + return; > > .. and .. > > + /* The end of negotiation command requires 2 bytes. */ > + if (&slc_replyp[2] > slc_reply_eom) > + return; > > If you don't subtract 1 from the sizeof(slc_reply) or change the > conditional operators to >=, then you could try to write one byte past > the end of the buffer. The tests are written a bit oddly, but I'm fairly certain that they are correct. &slc_replyp[6+2] and &slc_replyp[2] are not the addresses of the last bytes which will be written; rather, they are the addresses of the byte after the last byte which will be written. Taking the second example, if slc_replyp == slc_reply + 126, then we will have &slc_replyp[2] == slc_reply_eom, but (looking at the code) the two final bytes will be written into slc_reply[126] and slc_reply[127]. Colin Percival From owner-freebsd-security@FreeBSD.ORG Thu Mar 31 22:57:03 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E011216A4CE; Thu, 31 Mar 2005 22:57:03 +0000 (GMT) Received: from kremlin.juniper.net (kremlin.juniper.net [207.17.137.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id B6B4143D1D; Thu, 31 Mar 2005 22:57:03 +0000 (GMT) (envelope-from stevek@juniper.net) Received: from unknown (HELO beta.jnpr.net) (172.24.18.109) by kremlin.juniper.net with ESMTP; 31 Mar 2005 14:57:04 -0800 X-BrightmailFiltered: true X-Brightmail-Tracker: AAAAAA== X-IronPort-AV: i="3.91,139,1110182400"; d="scan'208"; a="285244842:sNHT22134856" Received: from stevek-bsd.jnpr.net ([172.25.41.27]) by beta.jnpr.net with Microsoft SMTPSVC(6.0.3790.211); Thu, 31 Mar 2005 14:57:03 -0800 From: Steve Kiernan To: Colin Percival In-Reply-To: <424C7B88.9030605@freebsd.org> References: <1112296855.8421.64.camel@localhost> <424C7B88.9030605@freebsd.org> Content-Type: text/plain Organization: Juniper Networks Inc. Date: Thu, 31 Mar 2005 17:56:53 -0500 Message-Id: <1112309813.8421.96.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 31 Mar 2005 22:57:03.0364 (UTC) FILETIME=[F4431440:01C53644] cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Mar 2005 22:57:04 -0000 On Thu, 2005-03-31 at 14:36 -0800, Colin Percival wrote: > Steve Kiernan wrote: > > I was looking at this patch, but there seems to be an error in it: > > > > unsigned char slc_reply[128]; > > +unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)]; > > unsigned char *slc_replyp; > > > > Should the value for slc_reply_eom not be this instead? > > > > unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply) - 1]; > > No. > > > Considering the conditionals are the following: > > > > + if (&slc_replyp[6+2] > slc_reply_eom) > > + return; > > > > .. and .. > > > > + /* The end of negotiation command requires 2 bytes. */ > > + if (&slc_replyp[2] > slc_reply_eom) > > + return; > > > > If you don't subtract 1 from the sizeof(slc_reply) or change the > > conditional operators to >=, then you could try to write one byte past > > the end of the buffer. > > The tests are written a bit oddly, but I'm fairly certain that they > are correct. &slc_replyp[6+2] and &slc_replyp[2] are not the > addresses of the last bytes which will be written; rather, they are > the addresses of the byte after the last byte which will be written. > > Taking the second example, if slc_replyp == slc_reply + 126, then we > will have &slc_replyp[2] == slc_reply_eom, but (looking at the code) > the two final bytes will be written into slc_reply[126] and > slc_reply[127]. Ah, yes, you are correct, the tests are just odd. Thanks. -- Steve Kiernan Juniper Networks From owner-freebsd-security@FreeBSD.ORG Thu Mar 31 14:54:23 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8487216A4CE for ; Thu, 31 Mar 2005 14:54:23 +0000 (GMT) Received: from postman.atlantis.dp.ua (postman.atlantis.dp.ua [193.108.47.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0CA0843D2D for ; Thu, 31 Mar 2005 14:54:21 +0000 (GMT) (envelope-from dmitry@atlantis.dp.ua) Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231]) j2VEsB7F005494 for ; Thu, 31 Mar 2005 17:54:11 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Date: Thu, 31 Mar 2005 17:54:11 +0300 (EEST) From: Dmitry Pryanishnikov To: freebsd-security@freebsd.org Message-ID: <20050331173634.K96091@atlantis.atlantis.dp.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Mailman-Approved-At: Fri, 01 Apr 2005 13:14:14 +0000 Subject: Re[2]: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Mar 2005 14:54:23 -0000 Hello! > Date: Mon, 28 Mar 2005 23:39:30 +0200 > From: Daniel Gerzo >> Just curious... why is it necessary to rebuild the whole operating >> system? Normally, the security advisories just have you rebuild the >> program in question - wouldn't that have sufficed here? > > I think, this might be enought: > > cd /usr/src/usr.bin/telnet ; make clean && make all install > > but I don't exactly know, if this is really correct way how to do > it.. This way is incorrect in two aspects. First, you'll have to compile libtelnet first: cd /usr/src/lib/libtelnet make obj && make depend && make cd /usr/src/usr.bin/telnet make obj && make depend && make && make install But second is that you'll get telnet w/o data encryption support, which isn't what you want (unless you have NOCRYPT=true in your /etc/make.conf). You can recompile telnet properly (in the typical case: no NOCRYPT and no MAKE_KERBEROS[45] either) using the following commands: cd /usr/src/secure/lib/libtelnet make obj && make depend && make cd /usr/src/secure/usr.bin/telnet make obj && make depend && make && make install However, I can overlook something more, so I'm giving no warranties at all... Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 07:29:53 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94EEA16A4CE for ; Fri, 1 Apr 2005 07:29:53 +0000 (GMT) Received: from redix.it (host49-169.pool8172.interbusiness.it [81.72.169.49]) by mx1.FreeBSD.org (Postfix) with SMTP id BFDE243D41 for ; Fri, 1 Apr 2005 07:29:51 +0000 (GMT) (envelope-from roberto.trovo@redix.it) Received: (qmail 26087 invoked by uid 72); 1 Apr 2005 07:29:50 -0000 Received: by mail.redix.it (tmda-sendmail, from uid 72); Fri, 01 Apr 2005 09:29:49 +0200 (CEST) Received: from 192.168.0.150 (SquirrelMail authenticated user roberto) by mail.redix.it:443 with HTTP; Fri, 1 Apr 2005 09:29:48 +0200 (CEST) Message-ID: <1068.192.168.0.150.1112340588.squirrel@mail.redix.it:443> In-Reply-To: <424C7B88.9030605@freebsd.org> References: <1112296855.8421.64.camel@localhost> <424C7B88.9030605@freebsd.org> Date: Fri, 1 Apr 2005 09:29:48 +0200 (CEST) To: "Colin Percival" User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal X-Delivery-Agent: TMDA/1.0.3 (Seattle Slew) From: Roberto X-Mailman-Approved-At: Fri, 01 Apr 2005 13:14:14 +0000 cc: Steve Kiernan cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2005 07:29:53 -0000 > Steve Kiernan wrote: >> I was looking at this patch, but there seems to be an error in it: >> >> unsigned char slc_reply[128]; >> +unsigned char const * const slc_reply_eom = >> &slc_reply[sizeof(slc_reply)]; >> unsigned char *slc_replyp; >> >> Should the value for slc_reply_eom not be this instead? >> >> unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply) >> - 1]; > > No. > >> Considering the conditionals are the following: >> >> + if (&slc_replyp[6+2] > slc_reply_eom) >> + return; >> >> .. and .. >> >> + /* The end of negotiation command requires 2 bytes. */ >> + if (&slc_replyp[2] > slc_reply_eom) >> + return; >> >> If you don't subtract 1 from the sizeof(slc_reply) or change the >> conditional operators to >=, then you could try to write one byte past >> the end of the buffer. > > The tests are written a bit oddly, but I'm fairly certain that they > are correct. &slc_replyp[6+2] and &slc_replyp[2] are not the > addresses of the last bytes which will be written; rather, they are > the addresses of the byte after the last byte which will be written. > > Taking the second example, if slc_replyp == slc_reply + 126, then we > will have &slc_replyp[2] == slc_reply_eom, but (looking at the code) > the two final bytes will be written into slc_reply[126] and > slc_reply[127]. > > Colin Percival Actually I've not read the code, but from these email it seems to me that someone could be confused by this code (at least Steve and I); for example refer to the address "&slc_reply[128];" when slc_reply[127] is the last element. I do not want to be offensive in any way, what I want to say is that this code is clear to you (and the person who wrote it) but the next programmer that will reuse the code (because this is a open source) could make a mistake. I think many bugs can derive from code not easy to understand. This is only my opinion. Kind Regards, Roberto From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 14:18:38 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D566E16A4CE; Fri, 1 Apr 2005 14:18:38 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E5B543D2F; Fri, 1 Apr 2005 14:18:38 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from gw.celabo.org (localhost [127.0.0.1]) by internal.gw.celabo.org (Postfix) with ESMTP id D592C3E2C2A; Fri, 1 Apr 2005 08:18:33 -0600 (CST) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id CAB5D3E2C1F; Fri, 1 Apr 2005 08:18:33 -0600 (CST) Received: by lum.celabo.org (Postfix, from userid 1001) id 6C2E66BF3C9; Fri, 1 Apr 2005 08:18:33 -0600 (CST) Date: Fri, 1 Apr 2005 08:18:33 -0600 From: "Jacques A. Vidrine" To: Roberto Message-ID: <20050401141833.GF4455@lum.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Roberto , Colin Percival , Steve Kiernan , freebsd-security@freebsd.org References: <1112296855.8421.64.camel@localhost> <424C7B88.9030605@freebsd.org> <1068.192.168.0.150.1112340588.squirrel@mail.redix.it:443> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1068.192.168.0.150.1112340588.squirrel@mail.redix.it:443> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on hellblazer.celabo.org X-Spam-Level: X-Spam-Status: No, score=-5.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.2 cc: Steve Kiernan cc: freebsd-security@freebsd.org cc: Colin Percival Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2005 14:18:39 -0000 On Fri, Apr 01, 2005 at 09:29:48AM +0200, Roberto wrote: > Actually I've not read the code, Then why are you posting your opinion about it? (^_^) I guess I'm responding to your post only to prevent others from worrying about a non-existent ``problem''. > but from these email it seems to me that > someone could be confused by this code (at least Steve and I); for example > refer to the address "&slc_reply[128];" when slc_reply[127] is the last > element. There is no reference to ``&slc_reply[128]''. There *is* a pointer initialized to the equivalent expression ``&slc_reply[sizeof(slc_reply)]'', which is the usual way to designate the end of a sequence. For example, char buf[...]; const char *eom = &buf[sizeof(buf)]; while (p < eom) /* `*p' is valid */; size_t n = eom - p; /* There are `n' bytes left */ If we used a pointer to the last element (instead of one beyond the last element), we'd need to adjust many expressions by 1, which is error-prone and ugly. > I do not want to be offensive in any way, what I want to say is that this > code is clear to you (and the person who wrote it) but the next programmer > that will reuse the code (because this is a open source) could make a > mistake. > > I think many bugs can derive from code not easy to understand. > > This is only my opinion. I find the tests fairly idiomatic and I find it easy to see their correctness. I doubt I'm alone. The suggested fix was reviewed by a number of coders from several open source operating system projects and caused no confusion. The form was chosen to clearly show how many bytes were expected to be written at that point. IMHO, using alternative forms invites off-by-one errors. if (&slc_replyp[6+2] > slc_reply_eom) return; /* past this point, we can write 6+2 bytes, slc_replyp[0] * through slc_replyp[7]. */ Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 14:23:01 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72FA916A4CE for ; Fri, 1 Apr 2005 14:23:01 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id B561C43D39 for ; Fri, 1 Apr 2005 14:23:00 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from gw.celabo.org (localhost [127.0.0.1]) by internal.gw.celabo.org (Postfix) with ESMTP id 305393E2C2A for ; Fri, 1 Apr 2005 08:22:57 -0600 (CST) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 083BC3E2C1F for ; Fri, 1 Apr 2005 08:22:57 -0600 (CST) Received: by lum.celabo.org (Postfix, from userid 1001) id B954A6BF41E; Fri, 1 Apr 2005 08:22:56 -0600 (CST) Date: Fri, 1 Apr 2005 08:22:56 -0600 From: "Jacques A. Vidrine" To: freebsd-security@FreeBSD.org Message-ID: <20050401142256.GG4455@lum.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="azLHFNyN32YCQGCU" Content-Disposition: inline User-Agent: Mutt/1.5.6i X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on hellblazer.celabo.org X-Spam-Level: X-Spam-Status: No, score=-5.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.2 Subject: Security Officer-supported branches update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2005 14:23:01 -0000 --azLHFNyN32YCQGCU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hello Everyone, The branches supported by the FreeBSD Security Officer have been updated to reflect recent EoL (end-of-life) events. The new list is below and at . FreeBSD 4.8 has `expired' and is no longer supported effective April 1, 2005. Also note that FreeBSD 4.9 ceased to be supported on November 1, 2004. If you are running FreeBSD 4.8 or FreeBSD 4.9, it is recommended that you upgrade to FreeBSD 4.10 or FreeBSD 4.11. [Excerpt from http://www.freebsd.org/security/ follows] FreeBSD Security Advisories The FreeBSD Security Officer provides security advisories for several branches of FreeBSD development. These are the -STABLE Branches and the Security Branches. (Advisories are not issued for the -CURRENT Branch.) * There is usually only a single -STABLE branch, although during the transition from one major development line to another (such as from FreeBSD 4.x to 5.x), there is a time span in which there are two -STABLE branches. The -STABLE branch tags have names like RELENG_4. The corresponding builds have names like FreeBSD 4.10-STABLE. * Each FreeBSD Release has an associated Security Branch. The Security Branch tags have names like RELENG_4_10. The corresponding builds have names like FreeBSD 4.10-RELEASE-p5. Each branch is supported by the Security Officer for a limited time only, and is designated as one of `Early adopter', `Normal', or `Extended'. The designation is used as a guideline for determining the lifetime of the branch as follows. Early adopter Releases which are published from the -CURRENT branch will be supported by the Security Officer for a minimum of 6 months after the release. Normal Releases which are published from the -STABLE branch will be supported by the Security Officer for a minimum of 12 months after the release. Extended Selected releases will be supported by the Security Officer for a minimum of 24 months after the release. The current designation and estimated lifetimes of the currently supported branches are given below. The Estimated EoL (end-of-life) column gives the earliest date on which that branch is likely to be dropped. Please note that these dates may be extended into the future, but only extenuating circumstances would lead to a branch's support being dropped earlier than the date listed. +-------------------------------------------------------------------+ | Branch | Release | Type | Release date | Estimated EoL | |-----------+------------+--------+----------------+----------------| |RELENG_4 |n/a |n/a |n/a |January 31,2007 | |-----------+------------+--------+----------------+----------------| |RELENG_4_10|4.10-RELEASE|Extended|May 27, 2004 |May 31, 2006 | |-----------+------------+--------+----------------+----------------| |RELENG_4_11|4.11-RELEASE|Extended|January 25, 2005|January 31, 2007| |-----------+------------+--------+----------------+----------------| |RELENG_5 |n/a |n/a |n/a |October 31, 2006| |-----------+------------+--------+----------------+----------------| |RELENG_5_3 |5.3-RELEASE |Extended|November 6, 2004|October 31, 2006| +-------------------------------------------------------------------+ Older releases are not maintained and users are strongly encouraged to upgrade to one of the supported releases mentioned above. [End excerpt] --azLHFNyN32YCQGCU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (Darwin) iD8DBQFCTVlAFdaIBMps37IRAoLFAKCPtM3oXxR0XivxO314RQfvg3yd0ACgiMvj Q0ZeoQjcIYcuZVkUmijG+jY= =Gm1S -----END PGP SIGNATURE----- --azLHFNyN32YCQGCU-- From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 15:12:06 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E995816A4CE; Fri, 1 Apr 2005 15:12:05 +0000 (GMT) Received: from mailout2.pacific.net.au (mailout2.pacific.net.au [61.8.0.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 809E143D49; Fri, 1 Apr 2005 15:12:04 +0000 (GMT) (envelope-from bde@zeta.org.au) Received: from mailproxy2.pacific.net.au (mailproxy2.pacific.net.au [61.8.0.87])j31FC3Hn021624; Sat, 2 Apr 2005 01:12:03 +1000 Received: from katana.zip.com.au (katana.zip.com.au [61.8.7.246]) j31FC0Mq020128; Sat, 2 Apr 2005 01:12:01 +1000 Date: Sat, 2 Apr 2005 01:11:59 +1000 (EST) From: Bruce Evans X-X-Sender: bde@delplex.bde.org To: Roberto In-Reply-To: <1068.192.168.0.150.1112340588.squirrel@mail.redix.it:443> Message-ID: <20050402002110.L24719@delplex.bde.org> References: <1112296855.8421.64.camel@localhost> <424C7B88.9030605@freebsd.org> <1068.192.168.0.150.1112340588.squirrel@mail.redix.it:443> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: Steve Kiernan cc: freebsd-security@freebsd.org cc: Colin Percival Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2005 15:12:06 -0000 On Fri, 1 Apr 2005, Roberto wrote: >> Steve Kiernan wrote: >>> I was looking at this patch, but there seems to be an error in it: >>> >>> unsigned char slc_reply[128]; >>> +unsigned char const * const slc_reply_eom = >>> &slc_reply[sizeof(slc_reply)]; >>> unsigned char *slc_replyp; >>> >>> Should the value for slc_reply_eom not be this instead? >>> >>> unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply) >>> - 1]; >> >> No. >> >>> Considering the conditionals are the following: >>> >>> + if (&slc_replyp[6+2] > slc_reply_eom) >>> + return; >>> >>> .. and .. >>> >>> + /* The end of negotiation command requires 2 bytes. */ >>> + if (&slc_replyp[2] > slc_reply_eom) >>> + return; >>> >>> If you don't subtract 1 from the sizeof(slc_reply) or change the >>> conditional operators to >=, then you could try to write one byte past >>> the end of the buffer. >> >> The tests are written a bit oddly, but I'm fairly certain that they >> are correct. &slc_replyp[6+2] and &slc_replyp[2] are not the >> addresses of the last bytes which will be written; rather, they are >> the addresses of the byte after the last byte which will be written. Actually, they are wrong. Pointers can only be compared (without the comparision giving undefined behaviour) iff they are into the same array (or one is null). There is a special case for the element one past the end of the array (slc_reply_eom here). This is a valid pointer, and some comparisons with it are valid, but ones like (&slc_replyp[2] > slc_reply_eom) are nonsense since if &slc_replyp[2] is valid then the result of the comparison is 0. The undefined behaviour just happens to be to work on most machines, because there are usually some bytes in the same address space beyond the end of the array. >> Taking the second example, if slc_replyp == slc_reply + 126, then we >> will have &slc_replyp[2] == slc_reply_eom, but (looking at the code) >> the two final bytes will be written into slc_reply[126] and >> slc_reply[127]. Then both slc_replyp and &slp_replyp[2] are valid, so there is no problem. If slc_replyp == slc_reply + 127, then &slc_replyp[2] is garbage and referencing it gives undefined behaviour (slightly before the comparison gives it). This is essentially an example of how not to do error overflow checking: check for it after it may have occurred. The correct code is something like: /* The end of negotiation command requires 2 bytes. */ if (slc_reply_eom - slp_replyp < 2) return; This depends on slc_replyp being valid. Previous code should have ensured this. To be valid, it must point into some array of unsigned chars, and that array must be slc_reply. If it points into a differentn array of unsigned chars, then undefined behaviour doesn't occur until we compare it. > Actually I've not read the code, but from these email it seems to me that > someone could be confused by this code (at least Steve and I); for example > refer to the address "&slc_reply[128];" when slc_reply[127] is the last > element. > > I do not want to be offensive in any way, what I want to say is that this > code is clear to you (and the person who wrote it) but the next programmer > that will reuse the code (because this is a open source) could make a > mistake. > > I think many bugs can derive from code not easy to understand. Having an "end" address of 1 after the last element is normal and good. This address is a bit hard to compare with correctly, but comparing with the address of the last element is harder. The fixed version of the above would be: /* * The end of negotiation command requires 2 bytes. */ */ if (slc_reply_lastp - slp_replyp < 2 - 1) return; Note that the pointer difference is -1 if slp_replyp happens to be the "end" address, so it is important that the size in the right hand operand is a signed integer. If the amount of space required was sizeof(foo), then we would have to convert it to a signed integer; if it was #defined, the we would have to convert it similarly and worry more about the conversion overflowing. Bruce