The vulnerability specifically exists in the handling of the LINEMODE
suboptions, in that there is no size check made on the output, which is stored
in a fixed length buffer. By sending a specially constructed reply containing a
large number of SLC (Set Local Character) commands, it is possible to overflow
this buffer with server supplied data.
This issue also affects RHEL2.1 and RHEL3
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.