Date: 19 Jul 2001 19:03:50 +0200 From: Assar Westerlund <assar@FreeBSD.ORG> To: Matt Dillon <dillon@earth.backplane.com> Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, Mike Tancsa <mike@sentex.net>, Kris Kennaway <kris@obsecurity.org>, security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? Message-ID: <5lvgko26mh.fsf@assaris.sics.se> In-Reply-To: Matt Dillon's message of "Thu, 19 Jul 2001 00:47:22 -0700 (PDT)" References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Matt Dillon <dillon@earth.backplane.com> writes: > Lets see... There are actually *FOUR* telnetd's in our source tree. > > /usr/src/crypto/telnet/telnetd VULNERABLE > /usr/src/libexec/telnetd VULNERABLE > /usr/src/crypto/heimdal/appl/telnet/telnetd NOT VULNERABLE > /usr/src/crypto/kerberosIV/appl/telnet/telnetd/telnetd.c NOT VULNERABLE The last two are actually the `same', just from different versions from the same CVS tree. > The heimdal and kerberosIV telnetd's call an output_data() > function which does not allow the output buffer to overflow. The > first two telnetd' just blindly copy the option data into the output > buffer. The heimdal/kerberosIV are possibly less bad, but not blame-less, see further down in the thread. /assar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5lvgko26mh.fsf>