Date: Tue, 17 Feb 2009 12:50:21 -0600 From: Tom Judge <tom@tomjudge.com> To: freebsd-security@freebsd.org Cc: FreeBSD Security Advisories <security-advisories@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:05.telnetd Message-ID: <499B06ED.6030900@tomjudge.com> In-Reply-To: <200902162202.n1GM2XUX003834@freefall.freebsd.org> References: <200902162202.n1GM2XUX003834@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, It seems that you got the patch levels wrong in this announcement, should it not be: 2009-02-16 21:56:17 UTC (RELENG_7, 7.1-STABLE) 2009-02-16 21:56:17 UTC (RELENG_7_1, 7.1-RELEASE-p3) 2009-02-16 21:56:17 UTC (RELENG_7_0, 7.0-RELEASE-p10) Rather than: 2009-02-16 21:56:17 UTC (RELENG_7, 7.1-STABLE) 2009-02-16 21:56:17 UTC (RELENG_7_1, 7.1-RELEASE-p10) 2009-02-16 21:56:17 UTC (RELENG_7_0, 7.0-RELEASE-p3) Regards Tom Judge FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================= > FreeBSD-SA-09:05.telnetd Security Advisory > The FreeBSD Project > > Topic: telnetd code execution vulnerability > > Category: core > Module: contrib > Announced: 2009-02-16 > Affects: FreeBSD 7.x > Corrected: 2009-02-16 21:56:17 UTC (RELENG_7, 7.1-STABLE) > 2009-02-16 21:56:17 UTC (RELENG_7_1, 7.1-RELEASE-p10) > 2009-02-16 21:56:17 UTC (RELENG_7_0, 7.0-RELEASE-p3) > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:http://security.FreeBSD.org/>. > > I. Background > > The FreeBSD telnet daemon, telnetd(8), implements the server side of the > TELNET virtual terminal protocol. It has been disabled by default in > FreeBSD since August 2001, and due to the lack of cryptographic security > in the TELNET protocol, it is strongly recommended that the SSH protocol > be used instead. The FreeBSD telnet daemon can be enabled via the > /etc/inetd.conf configuration file and the inetd(8) daemon. > > The TELNET protocol allows a connecting client to specify environment > variables which should be set in any created login session; this is used, > for example, to specify terminal settings. > > II. Problem Description > > In order to prevent environment variable based attacks, telnetd(8) "scrubs" > its environment; however, recent changes in FreeBSD's environment-handling > code rendered telnetd's scrubbing inoperative, thereby allowing potentially > harmful environment variables to be set. > > III. Impact > > An attacker who can place a specially-constructed file onto a target system > (either by legitimately logging into the system or by exploiting some other > service on the system) can execute arbitrary code with the privileges of > the user running the telnet daemon (usually root). > > IV. Workaround > > No workaround is available, but systems which are not running the telnet > daemon are not vulnerable. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_1 or > RELENG_7_0 security branch dated after the correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 7.0 and 7.1 > systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch http://security.FreeBSD.org/patches/SA-09:05/telnetd.patch > # fetch http://security.FreeBSD.org/patches/SA-09:05/telnetd.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/lib/libtelnet > # make obj && make depend && make > # cd /usr/src/libexec/telnetd > # make obj && make depend && make && make install > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > CVS: > > Branch Revision > Path > - ------------------------------------------------------------------------- > RELENG_7 > src/contrib/telnet/telnetd/sys_term.c 1.18.22.1 > RELENG_7_1 > src/UPDATING 1.507.2.13.2.6 > src/sys/conf/newvers.sh 1.72.2.9.2.7 > src/contrib/telnet/telnetd/sys_term.c 1.18.30.2 > RELENG_7_0 > src/UPDATING 1.507.2.3.2.14 > src/sys/conf/newvers.sh 1.72.2.5.2.14 > src/contrib/telnet/telnetd/sys_term.c 1.18.26.1 > - ------------------------------------------------------------------------- > > Subversion: > > Branch/path Revision > - ------------------------------------------------------------------------- > stable/7/ r188699 > releng/7.1/ r188699 > releng/7.0/ r188699 > - ------------------------------------------------------------------------- > > VII. References > > http://lists.grok.org.uk/pipermail/full-disclosure/2009-February/067954.html > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-09:05.telnetd.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (FreeBSD) > > iEYEARECAAYFAkmZ4dwACgkQFdaIBMps37JI2gCfZsCqw/ev/qVKELwNiFxj8zra > aooAn0GU4wBW7jBulFhrSyXtKVlgs18B > =joA6 > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security-notifications@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications > To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?499B06ED.6030900>