Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3f060bee-a765-4cd8-e752-e0cdfef5c6f2@oracle.com>
Date: Tue, 11 Dec 2018 13:10:51 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com,
        Hacker Fantastic <hackerfantastic@...glemail.com>
Subject: Re: Multiple telnet.c overflows

On 12/11/18 10:39 AM, Hacker Fantastic wrote:
> When a telnet server requests environment options the sprintf on line 1002 will
> not perform bounds checking and causes an overflow of stack buffer
> temp[50] defined
> at line 990. This issue can be trivially fixed using a patch to add
> bounds checking
> to sprintf such as with a call to snprintf();

GNU inetutils telnet is a fork of the original BSD telnet code, but most of
the BSD's seem to have already switched to snprintf a while ago:

https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/telnet/telnet.c.diff?r1=1.3&r2=1.4&f=h
https://github.com/freebsd/freebsd/commit/d2f83e4ec488ec62281318b26dad107e65d96d0c#diff-3503402e6a2ad1eb960a4f475f19fb9f

with NetBSD as the outlier:
http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.bin/telnet/telnet.c?rev=1.36&content-type=text/x-cvsweb-markup&only_with_tag=MAIN

illumos also uses snprintf, in the code it inherited from OpenSolaris:
https://github.com/illumos/illumos-gate/blob/master/usr/src/cmd/cmd-inet/usr.bin/telnet/telnet.c#L955

	-alan-

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.