Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 16 Jul 2004 00:33:50 -0400
From:      Marques Johansson <marques@displague.com>
To:        ports@FreeBSD.org, netbug@ftp.uk.linux.org
Subject:   patch for SSLtelnet vulnerability (CAN-2004-0640)
Message-ID:  <40F75AAE.5040806@displague.com>

next in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format.

--------------ms080907090009040706030600
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Apologies in advance for not being familiar with FreeBSD's patch/ports 
system. As far as I can tell, SSLtelnet, is depricated on FreeBSD. Even 
so, I would like to offer the following patch to fix the vulnerability 
described in CAN-2004-0640:

00_CAN-2004-0640-1.patch
< patch >
--- telnetd/telnetd.c.orig      2004-07-13 02:58:01.000000000 -0400
+++ telnetd/telnetd.c   2004-07-13 03:27:23.000000000 -0400
@@ -520,7 +520,7 @@
                sprintf(errbuf,"SSL_accept error %s\n",
                    ERR_error_string(ERR_get_error(),NULL));

-               syslog(LOG_WARNING, errbuf);
+               syslog(LOG_WARNING, "%.500s", errbuf);

                BIO_printf(bio_err,errbuf);

< /patch >

Thanks.  I am CC'ing this patch to the netkit maintainer email given in the package.  I have already given this information to the Debian maintainer.  OpenBSD, NetBSD, & Redhat appear not to use telnetd with SSL support.  They favor use of "openssl s_client -connect host:port".

-- 
  Marques Johansson
 marques@displague.com


--------------ms080907090009040706030600
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGfjCC
AzswggKkAgECMA0GCSqGSIb3DQEBBAUAMIGWMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkox
ETAPBgNVBAcTCENhcnRhcmV0MREwDwYDVQQKEwhXZWIgU2lsbzEUMBIGA1UECxMLRGV2ZWxv
cG1lbnQxGDAWBgNVBAMTD3BvZS53ZWJzaWxvLmNvbTEkMCIGCSqGSIb3DQEJARYVYWRtaW5A
cG9lLndlYnNpbG8uY29tMB4XDTA0MDcxMDE3NTYxOVoXDTA1MDcxMDE3NTYxOVowgbAxCzAJ
BgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRgwFgYDVQQHEw9FZ2cgSGFyYm9yIENp
dHkxETAPBgNVBAoTCFdlYiBTaWxvMR0wGwYDVQQLExRQZXJzb25hbCBDZXJ0aWZpY2F0ZTEa
MBgGA1UEAxMRTWFycXVlcyBKb2hhbnNzb24xJDAiBgkqhkiG9w0BCQEWFW1hcnF1ZXNAZGlz
cGxhZ3VlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALDD3hsi31Usjcdw
Gm5/5xdM7ww1+cMevKJZJlVTvn+0zyn6wo3515tRVdOu+MJPaKdqpxHWNAFVB06Ar/FwDsEm
Us3qG52GhmxBlgOkGtoQQhtgdrBR9ihUVhQgj9WzTMrzu345/TUL7eIIlwG+Wc5BgP5KmQo0
wFF/bl/GgLzLcnC2TqKs6WhHLBtZncg9qpGUwdOqPBwi9wRTgvoHeR/122axwMZAaYumpWTX
WbaiyD96noGrTfewmSpsrRCHnkNwF9Zmrd17zwEUTSiGvwmhja8a0UWV6QLfx2NuqX6mxcpc
K5s6bvzt8do7/8Ut4pNKX4tcuPttcrFKkcpLf7sCAwEAATANBgkqhkiG9w0BAQQFAAOBgQAP
GOfpPWlfJ8AFjyFoAIdnN1gBRdvon3FNSPLUrrSHBWvY3iN3HN6osZq9b2KAefkT3iyve7gG
6H7mnu26aSk4pQnLi4o9vZLCPE5HJ4LaKLZBmEoPgxyr3hoGKVc+E/jFwfUhOwcq8jaHSANR
a4Zi+HOcRXgkLTQXu13HCsAZfTCCAzswggKkAgECMA0GCSqGSIb3DQEBBAUAMIGWMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCTkoxETAPBgNVBAcTCENhcnRhcmV0MREwDwYDVQQKEwhXZWIg
U2lsbzEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxGDAWBgNVBAMTD3BvZS53ZWJzaWxvLmNvbTEk
MCIGCSqGSIb3DQEJARYVYWRtaW5AcG9lLndlYnNpbG8uY29tMB4XDTA0MDcxMDE3NTYxOVoX
DTA1MDcxMDE3NTYxOVowgbAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRgw
FgYDVQQHEw9FZ2cgSGFyYm9yIENpdHkxETAPBgNVBAoTCFdlYiBTaWxvMR0wGwYDVQQLExRQ
ZXJzb25hbCBDZXJ0aWZpY2F0ZTEaMBgGA1UEAxMRTWFycXVlcyBKb2hhbnNzb24xJDAiBgkq
hkiG9w0BCQEWFW1hcnF1ZXNAZGlzcGxhZ3VlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALDD3hsi31UsjcdwGm5/5xdM7ww1+cMevKJZJlVTvn+0zyn6wo3515tRVdOu
+MJPaKdqpxHWNAFVB06Ar/FwDsEmUs3qG52GhmxBlgOkGtoQQhtgdrBR9ihUVhQgj9WzTMrz
u345/TUL7eIIlwG+Wc5BgP5KmQo0wFF/bl/GgLzLcnC2TqKs6WhHLBtZncg9qpGUwdOqPBwi
9wRTgvoHeR/122axwMZAaYumpWTXWbaiyD96noGrTfewmSpsrRCHnkNwF9Zmrd17zwEUTSiG
vwmhja8a0UWV6QLfx2NuqX6mxcpcK5s6bvzt8do7/8Ut4pNKX4tcuPttcrFKkcpLf7sCAwEA
ATANBgkqhkiG9w0BAQQFAAOBgQAPGOfpPWlfJ8AFjyFoAIdnN1gBRdvon3FNSPLUrrSHBWvY
3iN3HN6osZq9b2KAefkT3iyve7gG6H7mnu26aSk4pQnLi4o9vZLCPE5HJ4LaKLZBmEoPgxyr
3hoGKVc+E/jFwfUhOwcq8jaHSANRa4Zi+HOcRXgkLTQXu13HCsAZfTGCA9swggPXAgEBMIGc
MIGWMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkoxETAPBgNVBAcTCENhcnRhcmV0MREwDwYD
VQQKEwhXZWIgU2lsbzEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxGDAWBgNVBAMTD3BvZS53ZWJz
aWxvLmNvbTEkMCIGCSqGSIb3DQEJARYVYWRtaW5AcG9lLndlYnNpbG8uY29tAgECMAkGBSsO
AwIaBQCgggITMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA0
MDcxNjA0MzM1MFowIwYJKoZIhvcNAQkEMRYEFPmeNa3vLeeQQolmQnyH1wXHGtwuMFIGCSqG
SIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFA
MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGtBgkrBgEEAYI3EAQxgZ8wgZwwgZYxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJOSjERMA8GA1UEBxMIQ2FydGFyZXQxETAPBgNVBAoTCFdlYiBT
aWxvMRQwEgYDVQQLEwtEZXZlbG9wbWVudDEYMBYGA1UEAxMPcG9lLndlYnNpbG8uY29tMSQw
IgYJKoZIhvcNAQkBFhVhZG1pbkBwb2Uud2Vic2lsby5jb20CAQIwga8GCyqGSIb3DQEJEAIL
MYGfoIGcMIGWMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkoxETAPBgNVBAcTCENhcnRhcmV0
MREwDwYDVQQKEwhXZWIgU2lsbzEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxGDAWBgNVBAMTD3Bv
ZS53ZWJzaWxvLmNvbTEkMCIGCSqGSIb3DQEJARYVYWRtaW5AcG9lLndlYnNpbG8uY29tAgEC
MA0GCSqGSIb3DQEBAQUABIIBAFt9Dp65OS7kHzNhTdOnE0Ptfwsx0nsxtz4VgTmjRO0arseK
JLkrfSnW5BSkxtzX7cw8SrgQIeQHuSFCDqZw3ouT+mkjxkAYK4lP7dV+TEb+VSd5N8ErAcVU
ALFZs2V7RqakvpwG19OiBmlCFl9MDzgx6pkQ+Q1OOPpa3yJ1wMQKsmP53kWye17AIEmyolla
4A9ntTELFQpBTtTWMFXScRqQpNIgvq5c0EoH5l9SfTqa2ihC9Mx1FwnH81gDl7+J5uNU13W2
f5bUMS1SiBEfJVA4xs1AqtJacnIlRGERpziq3auetLuiw5Vcni3JhO3MaxGtMUwfVnzxT66D
gf+rF5wAAAAAAAA=
--------------ms080907090009040706030600--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40F75AAE.5040806>