From owner-freebsd-security Thu May 1 13:54:44 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id NAA15995 for security-outgoing; Thu, 1 May 1997 13:54:44 -0700 (PDT) Received: from ns2.harborcom.net (root@ns2.harborcom.net [206.158.4.4]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA15986 for ; Thu, 1 May 1997 13:54:41 -0700 (PDT) Received: from localhost (bradley@localhost) by ns2.harborcom.net (8.8.5/8.8.5) with SMTP id QAA11131 for ; Thu, 1 May 1997 16:54:39 -0400 (EDT) Date: Thu, 1 May 1997 16:54:39 -0400 (EDT) From: Bradley Dunn X-Sender: bradley@ns2.harborcom.net Reply-To: Bradley Dunn To: freebsd-security@freebsd.org Subject: Telnetd problem? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >From src/libexec/telnetd/sys_term.c: char speed[128]; ... sprintf(speed, "%s/%d", (cp = getenv("TERM")) ? cp : "", (def_rspeed > 0) ? def_rspeed : 9600); This code is identical to the problematic kerberos code that was in the SNI advisory. Also, it appears that the eBones in FreeBSD is vulnerable to both problems in the SNI advisory. Just do a grep for 'strcpy' in src/eBones/lib/libkrb. pbd -- Why can't you be a non-conformist like everyone else?