Bug 151267

Summary: CAN-2005-0469 Multiple Telnet Client issues (CAN-2005-0468)
Product: Red Hat Enterprise Linux 4 Reporter: Josh Bressers <bressers>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 4.0CC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,embargo=20050328,source=vendorsec,reported=20050218
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-03-30 07:58:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Upstream patch for this issue none

Description Josh Bressers 2005-03-16 16:03:34 UTC
The slc_add_reply() function in telnet.c performs inadequate length
checking.  By sending a carefully crafted telnet LINEMODE suboption
string, a malicious telnet server may cause a telnet client to
overflow a fixed-size data segment or BSS buffer and execute arbitrary
code.

Comment 1 Josh Bressers 2005-03-16 16:04:47 UTC
This issue also affects RHEL2.1 and RHEL3.

Comment 2 Josh Bressers 2005-03-16 17:49:19 UTC
The env_opt_add() function in telnet.c performs inadequate length
checking.  By sending a carefully crafted telnet NEW-ENVIRON suboption
string, a malicious telnet server may cause a telnet client to
overflow a heap buffer and execute arbitrary code.

Comment 3 Josh Bressers 2005-03-16 17:53:08 UTC
Created attachment 112052 [details]
Upstream patch for this issue

Comment 6 Mark J. Cox 2005-03-30 07:46:54 UTC
removing embargo

Comment 7 Mark J. Cox 2005-03-30 07:58:56 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-330.html