From owner-cvs-src@FreeBSD.ORG  Mon Mar 28 14:45:12 2005
Return-Path: <owner-cvs-src@FreeBSD.ORG>
Delivered-To: cvs-src@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9C14A16A4CE; Mon, 28 Mar 2005 14:45:12 +0000 (GMT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 8327343D5E; Mon, 28 Mar 2005 14:45:12 +0000 (GMT)
	(envelope-from nectar@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id j2SEjCdh046187;
	Mon, 28 Mar 2005 14:45:12 GMT
	(envelope-from nectar@repoman.freebsd.org)
Received: (from nectar@localhost)
	by repoman.freebsd.org (8.13.1/8.13.1/Submit) id j2SEjCQT046186;
	Mon, 28 Mar 2005 14:45:12 GMT
	(envelope-from nectar)
Message-Id: <200503281445.j2SEjCQT046186@repoman.freebsd.org>
From: Jacques Vidrine <nectar@FreeBSD.org>
Date: Mon, 28 Mar 2005 14:45:12 +0000 (UTC)
To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org,
	cvs-all@FreeBSD.org
X-FreeBSD-CVS-Branch: HEAD
Subject: cvs commit: src/contrib/telnet/telnet telnet.c
X-BeenThere: cvs-src@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the src tree <cvs-src.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src>
List-Post: <mailto:cvs-src@freebsd.org>
List-Help: <mailto:cvs-src-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2005 14:45:12 -0000

nectar      2005-03-28 14:45:12 UTC

  FreeBSD src repository

  Modified files:
    contrib/telnet/telnet telnet.c 
  Log:
  Correct a pair of buffer overflows in the telnet(1) command:
  
   (CAN-2005-0468) A heap buffer overflow in env_opt_add() and related
   functions.
  
   (CAN-2005-0469) A global uninitialized data section buffer overflow in
   slc_add_reply() and related functions.
  
  As a result of these vulnerabilities, it may be possible for a malicious
  telnet server or active network attacker to cause telnet(1) to execute
  arbitrary code with the privileges of the user running it.
  
  Security: CAN-2005-0468, CAN-2005-0469
  Security: FreeBSD-SA-05:01.telnet
  Security: http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities
  Security: http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities
  
  These fixes are based in part on patches
  Submitted by:   Solar Designer <solar@openwall.com>
  
  Revision  Changes    Path
  1.16      +24 -6     src/contrib/telnet/telnet/telnet.c