Bug 75414 - talkd buffer overflow?
talkd buffer overflow?
Status: CLOSED WONTFIX
Product: Red Hat Linux
Classification: Retired
Component: talk (Show other bugs)
8.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Phil Knirsch
Jay Turner
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-10-08 03:53 EDT by Pekka Savola
Modified: 2015-03-04 20:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-12-18 10:41:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pekka Savola 2002-10-08 03:53:56 EDT
NetBSD released an advisory on talkd buffer overflow a day or two ago, check:

http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/libexec/talkd/

Quick look at netkit-ntalk code seems to indicate that a similar fix might be
necessary here too (also checked 0.18pre).

I also pinged the netkit maintainer, no reply at least yet.
Comment 1 Pekka Savola 2002-10-23 03:39:09 EDT
The maintainer responded back:
--8<--
It appears you may be right. I wonder how that slipped through.

However, the data in question comes from utmp. utmp is a trusted file.
Lots and *lots* of things are vulnerable if utmp is corrupted. And
this one (with a normal configuration) only gets you group tty, which
is less useful for hacking than group utmp.

This is not to say it shouldn't be fixed, and it will be... thanks for
the heads-up.
--8<--

If that analysis is correct this is not too grave a problem (who is using talkd
anyway??!?!? ;-), and will be fixed in upstream.

Comment 2 Phil Knirsch 2002-12-18 10:41:03 EST
Correct. :-)

Closing bug because of analysis. :-)

Read ya, Phil

Note You need to log in before you can comment on or make changes to this bug.