-----BEGIN PGP SIGNED MESSAGE-----


                 NetBSD Security Advisory 2001-012
                 =================================

Topic:		telnetd(8) options overflow

Version:	All NetBSD releases prior to 2001-07-19

Severity:	remote root from any host which can connect to telnetd(8)

Fixed:		NetBSD-current:		2001-07-19
		NetBSD-1.5 branch:	2001-07-29
		NetBSD-1.4 branch:	Supplied patch (see below).

		A patch is provided for all releases that will fix
		the problem.  Pullups to other branches are
		anticipated, see 'More Information' below for how to
		track this progress.

Abstract
========

A buffer overflow existed in the telnetd(8) program. Any client
connecting could cause the telnetd instance to SEGV, and possibly
to execute arbitrary code as root.


Technical Details
=================

Technical details of the vulnerabilities are publicised in
CERT Advisory CA-2001-21:
	http://www.cert.org/advisories/CA-2001-21.html

A strong indication of attempted exploitation of this bug may be found
by examining log entries sent to the syslogd(8) system logger facility
DAEMON (which is stored in /var/log/messages by default) of the form:
	telnetd \[[0-9]*\]: ttloop: peer died: No such file or directory


Solutions and Workarounds
=========================

telnetd(8) has been shipped disabled since June 2000, including the
NetBSD 1.5 and 1.5.1 releases, and -current after that date.

If you are running an earlier release, or have re-enabled telnetd(8)
in 1.5.x, disable it now by commenting out the line beginning with
telnetd(8) in /etc/inetd.conf, and kill -HUP your inetd process.

As a reminder, unless you are running on a private network, telnet
exposes your passwords to the Internet. Even on a private network,
passwords may be exposed to inappropriate individuals. Use a strong,
secure protocol, such as Secure Shell instead.

The following instructions describe how to upgrade your telnetd(8)
by updating your source tree and rebuilding and installing a new
version of telnetd(8).

* NetBSD -current, 1.5, 1.5.1:

	Systems running NetBSD-current dated from before 2001-07-19
	should be upgraded to NetBSD-current dated 2001-07-20 or later.

	Systems running NetBSD 1.5 or 1.5.1 dated from before
	2001-07-29 should be upgraded to NetBSD 1.5.x sources dated
	2001-07-30 or later.

	The following directory needs to be updated from the
	netbsd-current CVS branch (aka HEAD) for NetBSD-current,
	or netbsd-1-5 CVS branch for NetBSD 1.5 or 1.5.1:
		src/libexec/telnetd

	To update from CVS, re-build, and re-install telnetd(8):
		# cd src/libexec/telnetd
		# cvs update -d -P
		# make cleandir dependall install


	Alternatively, apply the following patch (with potential offset
	differences) and rebuild & re-install telnetd(8):
		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-012-telnetd.patch

	To patch, re-build and re-install telnetd(8):
		# cd src/libexec/telnetd
		# patch < /path/to/SA2001-012-telnetd.patch
		# make cleandir dependall install


* NetBSD 1.3, 1.3.x, 1.4, 1.4.x:

	Systems running NetBSD releases up to and including 1.5.1 should
	apply the following patch (with potential offset differences):
		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-012-telnetd.patch

	To patch, re-build and re-install telnetd(8):
		# cd src/libexec/telnetd
		# patch < /path/to/SA2001-012-telnetd.patch
		# make cleandir dependall install


	The anonymous CVS branch netbsd-1-4 should be updated with a
	fix in the near future.


Thanks To
=========

TESO for the advisory.

Jason Thorpe <thorpej@netbsd.org> for analysis.

Krister Walfridsson <kristerw@netbsd.org> for testing.

Jun-ichiro Hagino <itojun@netbsd.org> for a fix in NetBSD-current
from the Heimdal telnetd sources, by way of OpenBSD.

David Maxwell <david@netbsd.org> for the fix for previous releases.


Revision History
================

	2001-07-25	Initial revision.

	2001-07-25	Info on how to detect exploit attempts.

	2001-08-08	Update for netbsd-1-5 pullup.


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-012.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2001, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2001-012.txt,v 1.13 2001/08/08 01:22:37 lukem Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBO3s4kD5Ru2/4N2IFAQFa2QP+PmmIoD/0tCgJaesTJCeydCQQovak4grx
aWcvY1Kqauv5gueSJ4w+vMUOK2BOsK/Ny0ViIZtfgExELFn1585UPhAbSbYeFA5j
g5i4jYrFNYWYvJwgRhHWtg81nsW/7urLu0SUnurdSAa5TpdifKJNZmAtqlpfE+ke
TxXOmk838ho=
=Mr89
-----END PGP SIGNATURE-----