[SRM] netkit-telnet-ssl buffer overflow

To: debian-release@lists.debian.org
Subject: [SRM] netkit-telnet-ssl buffer overflow
From: Ian Beckwith <ianb@debian.org>
Date: Sun, 9 Mar 2014 18:21:24 +0000
Message-id: <[🔎] 20140309182124.GA27863@jezebel.angsthaus.erislabs.net>

Hi,

The security team forwarded a buffer overflow bug in netkit-telnet-ssl
to me.  The bug turned out not to be exploitable, it just causes a
segfault, but they recommended I contact the SRMs to include it in a
stable update.

The fixed version, 0.17.24+0.1-24, is in testing. The diff from -23
contains the fix but I've just noticed also contains a gratuitous
removal of .gitignore.

Patch (minus .gitignore removal) is attached.

The package is overdue for a polish, hardening flags, etc, but that's
not appropriate for a stable update so I'm saving that for a later
upload.

#695181 covers the same bug, but at the time nobody realised it had
security implications, that was a separate private report to the
security team.

thanks,

Ian.

-- 
Ian Beckwith - ianb@debian.org - ianb@erislabs.net - http://erislabs.net/ianb/
GPG fingerprint: AF6C C0F1 1E74 424B BCD5  4814 40EC C154 A8BA C1EA

diff --git a/debian/changelog b/debian/changelog
index 7e1a9e0..b0f5074 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+netkit-telnet-ssl (0.17.24+0.1-24) unstable; urgency=medium
+
+  * Fix buffer overflow (Closes: #695181).
+
+ -- Ian Beckwith <ianb@debian.org>  Sat, 22 Feb 2014 17:00:11 +0000
+
 netkit-telnet-ssl (0.17.24+0.1-23) unstable; urgency=low
 
   * Remove hardcoded dependencies on libssl0.9.8 (Closes: #622656)
diff --git a/libtelnet/ssl.c b/libtelnet/ssl.c
index affa2be..e008713 100644
--- a/libtelnet/ssl.c
+++ b/libtelnet/ssl.c
@@ -148,31 +148,35 @@ SSL *ssl_con;
 int verbose;
 {
     X509 *peer;
-    char *cipher_list;
+    char *p;
 
     if (ssl_active_flag && verbose) {
 #ifdef SSLEAY8
-        char *p;
-	char buf[1024];
 	int i;
-
+#endif /* SSLEAY8 */
+	fprintf(stderr,"[SSL cipher=");
+#ifdef SSLEAY8
 	/* grab the full list of ciphers */
 	i=0;
-	buf[0]='\0';
 	while((p=(char *)SSL_get_cipher_list(ssl_con,i++))!=NULL) {
-	  if (i>0)
-	    strcat(buf,":");
-	  strcat(buf,p);
+	    if (i>1) {
+		fprintf(stderr,":");
+	    }
+	    fprintf(stderr, "%s", p);
+	}
+	if(i==1) {
+	    fprintf(stderr, "<NULL>");
 	}
-	cipher_list=buf;
 #else /* !SSLEAY8 */
-	cipher_list=SSL_get_cipher(ssl_con);
+	p=SSL_get_cipher(ssl_con);
+	if(p) {
+	    fprintf(stderr, "%s", p);
+	} else {
+	    /* the cipher list *can* be NULL ... useless but it happens! */
+	    fprintf(stderr, "<NULL>");
+	}
 #endif /* !SSLEAY8 */
-
-	/* the cipher list *can* be NULL ... useless but it happens! */
-	if (cipher_list==NULL)
-	    cipher_list="<NULL>";
-	fprintf(stderr,"[SSL cipher=%s]\r\n",cipher_list);
+	fprintf(stderr,"]\r\n");
 	peer=SSL_get_peer_certificate(ssl_con);
 	if (peer != NULL) {
 	    char *str;

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: NEW changes in oldstable-new
Next by Date: NEW changes in oldstable-new
Previous by thread: NEW changes in oldstable-new
Next by thread: Bug#728575: pu: package calendarserver/3.2.dfsg-4
Index(es):
- Date
- Thread