Re: [oss-security] CVE-2011-4862 is not BSD-specific

From: Kurt Seifried <kseifried_at_nospam>
Date: Sun Dec 25 2011 - 20:41:05 GMT
To: oss-security@lists.openwall.com

On 12/25/2011 10:14 AM, Florian Weimer wrote:
> This is just a heads-up: CVE-2011-4862, a pre-authentication buffer
> overflow in telnetd recently fixed by FreeBSD is not BSD-specific. It
> seems to have been added at MIT when the BSD telnetd was Kerberized,
> and it ended up in the Heimdal recryptofication of Kerberos (from
> where FreeBSD got it) and later in GNU inetutils. I have reproduced a
> pre-authentication segfault with both versions (as shipped by Debian).
>
> The telnetd from netkit does not appear to be affected.
Good write up at:

http://thexploit.com/secdev/a-textbook-buffer-overflow-a-look-at-the-freebsd-telnetd-code/

-- -Kurt Seifried / Red Hat Security Response Team

This message: [ Message body ]
Next message: Huzaifa Sidhpurwala: "Re: [oss-security] CVE-2011-4862 is not BSD-specific"
Previous message: Kurt Seifried: "Re: [oss-security] CVE-request: Joomla com_mailto automated mail timeout bypass (2009)"
In reply to: Florian Weimer: "[oss-security] CVE-2011-4862 is not BSD-specific"
Next in thread: Huzaifa Sidhpurwala: "Re: [oss-security] CVE-2011-4862 is not BSD-specific"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]