From owner-freebsd-questions Wed Nov 1 18:07:08 1995 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id SAA06342 for questions-outgoing; Wed, 1 Nov 1995 18:07:08 -0800 Received: from irbs.irbs.com (irbs.com [199.182.75.129]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id SAA06335 for ; Wed, 1 Nov 1995 18:07:04 -0800 Received: (from jc@localhost) by irbs.irbs.com (8.6.12/8.6.6) id VAA25935; Wed, 1 Nov 1995 21:06:25 -0500 From: John Capo Message-Id: <199511020206.VAA25935@irbs.irbs.com> Subject: Re: CERT advisory, telnetd bug -- any progress? To: rnw+@andrew.cmu.edu (Robert N Watson) Date: Wed, 1 Nov 1995 21:06:24 -0500 (EST) Cc: freebsd-questions@freefall.freebsd.org In-Reply-To: from "Robert N Watson" at Nov 1, 95 07:33:16 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2836 Sender: owner-questions@FreeBSD.org Precedence: bulk Robert N Watson writes: > > I know there was some discussion going on on freebsd-security (or > somewhere) concerning the telnetd patch -- has a formal patch bee > released yet, or are 2.0.5R users dead in the water for a bit? (well, > rather, sitting ducks in the water.) Could a binary update to telnetd > be put up somewhere for us to grab? > Here are patches, one for -stable and one for 1.1.5.1. I don't know if either will apply to 2.0.5 but you can see how it is implemented. Basically a function is added called scrub_env() and it is called at the beginning of start_login(). In lieu of patching telnetd, you can use the setgid scheme in the bulletin. John Capo jc@irbs.com IRBS Engineering High performance FreeBSD systems (305) 792-9551 Internet Consulting - ISP Solutions --- Patch for -stable (aka 2.1) --- *** libexec/telnetd/sys_term.c Sun Sep 10 04:39:50 1995 --- /usr/current/libexec/telnetd/sys_term.c Tue Oct 24 05:35:22 1995 *************** *** 1555,1560 **** --- 1555,1562 ---- fatal(net, "makeutx failed"); #endif + scrub_env(); + /* * -h : pass on name of host. * WARNING: -h is accepted by login if and only if *************** *** 1766,1771 **** --- 1768,1798 ---- return(argv); } #endif /* NEWINIT */ + + /* + * scrub_env() + * + * Remove a few things from the environment that + * don't need to be there. + */ + scrub_env() + { + register char **cpp, **cpp2; + + for (cpp2 = cpp = environ; *cpp; cpp++) { + #ifdef __FreeBSD__ + if (strncmp(*cpp, "LD_LIBRARY_PATH=", 16) && + strncmp(*cpp, "LD_PRELOAD=", 11) && + #else + if (strncmp(*cpp, "LD_", 3) && + strncmp(*cpp, "_RLD_", 5) && + strncmp(*cpp, "LIBPATH=", 8) && + #endif + strncmp(*cpp, "IFS=", 4)) + *cpp2++ = *cpp; + } + *cpp2 = 0; + } /* * cleanup() ---- End of patch --- ---- Patch for 1.1.5.1 ---- *** libexec/telnetd/sys_term.c.orig Sun May 22 15:24:51 1994 --- libexec/telnetd/sys_term.c Wed Nov 1 14:46:45 1995 *************** *** 1275,1280 **** --- 1275,1282 ---- register char **argv; char **addarg(), *user; + scrub_env(); + /* * -h : pass on name of host. * WARNING: -h is accepted by login if and only if *************** *** 1371,1376 **** --- 1373,1397 ---- return(argv); } #endif /* NEWINIT */ + + /* + * scrub_env() + * + * Remove a few things from the environment that + * don't need to be there. + */ + scrub_env() + { + register char **cpp, **cpp2; + + for (cpp2 = cpp = environ; *cpp; cpp++) { + if (strncmp(*cpp, "LD_LIBRARY_PATH=", 16) && + strncmp(*cpp, "LD_PRELOAD=", 11) && + strncmp(*cpp, "IFS=", 4)) + *cpp2++ = *cpp; + } + *cpp2 = 0; + } /* * cleanup() --- End of Patch ---