From owner-freebsd-security  Thu May  1 15:53:56 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id PAA23071
          for security-outgoing; Thu, 1 May 1997 15:53:56 -0700 (PDT)
Received: from charon.MIT.EDU (brnstndkramden.acf.nyu.edu@CHARON.MIT.EDU [18.70.0.224])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA23066
          for <freebsd-security@FreeBSD.ORG>; Thu, 1 May 1997 15:53:53 -0700 (PDT)
From: mhpower@mit.edu
Received: (from mhpower@localhost) by charon.MIT.EDU (8.7.6/2.3JIK) id SAA06953; Thu, 1 May 1997 18:53:59 -0400
Date: Thu, 1 May 1997 18:53:59 -0400
Message-Id: <199705012253.SAA06953@charon.MIT.EDU>
To: bradley@dunn.org
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Telnetd problem?
In-Reply-To: <Pine.BSF.3.96.970501163938.16494E-100000@ns2.harborcom.net>
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

>From src/libexec/telnetd/sys_term.c:
...
>sprintf(speed, "%s/%d", (cp = getenv("TERM")) ? cp : "",
...
>This code is identical to the problematic kerberos code ...

The code is also inside "#if defined(LOGIN_R)" "#endif", as it is in
many other variants of this telnetd. I haven't personally seen any
environments in which LOGIN_R is defined at build time, and I suspect
it's not normally defined on FreeBSD systems. There may be some systems
where LOGIN_R is defined, but I think typically the code is not
actually problematic as a consequence of it not actually being compiled.

Matt Power
mhpower@mit.edu