Subject: Re: Buffer overrun patches
To: David Holland <dholland@hcs.harvard.edu>
From: Michael Graff <explorer@flame.org>
List: tech-userlevel
Date: 09/07/1996 17:05:33
David Holland <dholland@hcs.harvard.edu> writes:
> Here are patches for three security bugs I fixed in Linux code this
> week. They're against NetBSD-current as of about half an hour ago.
>
> - rwhod: possible buffer overflow copying hostname out of rwho
> protocol packet onto stack. May or may not be actually
> exploitable, as it's in main and main doesn't return.
I applied this patch. It can't _hurt_ really, so I'll also commit
it. The only attack that could now be used would be to have two long
hostnames "collide" but if anyone relies on rwho and correctness...
> - telnetd: block the ENV variable from being transferred, as in some
> circumstances this may lead to unexpected execution of commands.
> (ENV points bash and other shells at command text to execute.)
I have applied this but not committed it. Any objections?
> - tftp: fix three places where DNS spoofing could cause a buffer
> overrun on the stack. This could permit external access to the
> account running tftp.
I also applied this, and have committed it.