Hi, The security team forwarded a buffer overflow bug in netkit-telnet-ssl to me. The bug turned out not to be exploitable, it just causes a segfault, but they recommended I contact the SRMs to include it in a stable update. The fixed version, 0.17.24+0.1-24, is in testing. The diff from -23 contains the fix but I've just noticed also contains a gratuitous removal of .gitignore. Patch (minus .gitignore removal) is attached. The package is overdue for a polish, hardening flags, etc, but that's not appropriate for a stable update so I'm saving that for a later upload. #695181 covers the same bug, but at the time nobody realised it had security implications, that was a separate private report to the security team. thanks, Ian. -- Ian Beckwith - ianb@debian.org - ianb@erislabs.net - http://erislabs.net/ianb/ GPG fingerprint: AF6C C0F1 1E74 424B BCD5 4814 40EC C154 A8BA C1EA
diff --git a/debian/changelog b/debian/changelog index 7e1a9e0..b0f5074 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +netkit-telnet-ssl (0.17.24+0.1-24) unstable; urgency=medium + + * Fix buffer overflow (Closes: #695181). + + -- Ian Beckwith <ianb@debian.org> Sat, 22 Feb 2014 17:00:11 +0000 + netkit-telnet-ssl (0.17.24+0.1-23) unstable; urgency=low * Remove hardcoded dependencies on libssl0.9.8 (Closes: #622656) diff --git a/libtelnet/ssl.c b/libtelnet/ssl.c index affa2be..e008713 100644 --- a/libtelnet/ssl.c +++ b/libtelnet/ssl.c @@ -148,31 +148,35 @@ SSL *ssl_con; int verbose; { X509 *peer; - char *cipher_list; + char *p; if (ssl_active_flag && verbose) { #ifdef SSLEAY8 - char *p; - char buf[1024]; int i; - +#endif /* SSLEAY8 */ + fprintf(stderr,"[SSL cipher="); +#ifdef SSLEAY8 /* grab the full list of ciphers */ i=0; - buf[0]='\0'; while((p=(char *)SSL_get_cipher_list(ssl_con,i++))!=NULL) { - if (i>0) - strcat(buf,":"); - strcat(buf,p); + if (i>1) { + fprintf(stderr,":"); + } + fprintf(stderr, "%s", p); + } + if(i==1) { + fprintf(stderr, "<NULL>"); } - cipher_list=buf; #else /* !SSLEAY8 */ - cipher_list=SSL_get_cipher(ssl_con); + p=SSL_get_cipher(ssl_con); + if(p) { + fprintf(stderr, "%s", p); + } else { + /* the cipher list *can* be NULL ... useless but it happens! */ + fprintf(stderr, "<NULL>"); + } #endif /* !SSLEAY8 */ - - /* the cipher list *can* be NULL ... useless but it happens! */ - if (cipher_list==NULL) - cipher_list="<NULL>"; - fprintf(stderr,"[SSL cipher=%s]\r\n",cipher_list); + fprintf(stderr,"]\r\n"); peer=SSL_get_peer_certificate(ssl_con); if (peer != NULL) { char *str;
Attachment:
signature.asc
Description: Digital signature