Date: Tue, 11 Dec 2018 13:10:51 -0800 From: Alan Coopersmith <alan.coopersmith@...cle.com> To: oss-security@...ts.openwall.com, Hacker Fantastic <hackerfantastic@...glemail.com> Subject: Re: Multiple telnet.c overflows On 12/11/18 10:39 AM, Hacker Fantastic wrote: > When a telnet server requests environment options the sprintf on line 1002 will > not perform bounds checking and causes an overflow of stack buffer > temp defined > at line 990. This issue can be trivially fixed using a patch to add > bounds checking > to sprintf such as with a call to snprintf(); GNU inetutils telnet is a fork of the original BSD telnet code, but most of the BSD's seem to have already switched to snprintf a while ago: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/telnet/telnet.c.diff?r1=1.3&r2=1.4&f=h https://github.com/freebsd/freebsd/commit/d2f83e4ec488ec62281318b26dad107e65d96d0c#diff-3503402e6a2ad1eb960a4f475f19fb9f with NetBSD as the outlier: http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.bin/telnet/telnet.c?rev=1.36&content-type=text/x-cvsweb-markup&only_with_tag=MAIN illumos also uses snprintf, in the code it inherited from OpenSolaris: https://github.com/illumos/illumos-gate/blob/master/usr/src/cmd/cmd-inet/usr.bin/telnet/telnet.c#L955 -alan-
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.