Package: krb4
Severity: grave
Tags: patch
Justification: user security hole
CAN-2005-0469 describes a buffer overflow in the slc_add_reply()
function. It has already been fixed in krb5, but is present in
krb4 as well. I'm not familiar with the krn4 code base, but the
fix from krb5 seems applicable as well. It's attached, but please
double check with Security Team, who might have a better fix.
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
diff -Naur krb4-1.2.2.orig/appl/telnet/telnet/telnet.c krb4-1.2.2/appl/telnet/telnet/telnet.c
--- krb4-1.2.2.orig/appl/telnet/telnet/telnet.c 2002-05-03 12:19:43.000000000 +0200
+++ krb4-1.2.2/appl/telnet/telnet/telnet.c 2005-04-24 15:36:39.000000000 +0200
@@ -1309,6 +1309,8 @@
void
slc_add_reply(unsigned char func, unsigned char flags, cc_t value)
{
+ if ((slc_replyp - slc_reply) + 6 > sizeof(slc_reply))
+ return;
if ((*slc_replyp++ = func) == IAC)
*slc_replyp++ = IAC;
if ((*slc_replyp++ = flags) == IAC)
@@ -1322,11 +1324,12 @@
{
int len;
- *slc_replyp++ = IAC;
- *slc_replyp++ = SE;
len = slc_replyp - slc_reply;
- if (len <= 6)
+ if (len <= 4 || (len + 2 > sizeof(slc_reply)))
return;
+ *slc_replyp++ = IAC;
+ *slc_replyp++ = SE;
+ len += 2;
if (NETROOM() > len) {
ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
