talkd [WAS: Re: OpenBSD Security Advisory]

[Chris Evans <chris () SCARY BEASTS ORG>]

On Wed, 4 Oct 2000, K2 wrote:

[...]

> OK, hold on a second....  The following "snip snip" is a little long...
> and I have not verified it, (a guaranteed DoS though).
>
> talkd, A DEFAULT service.

[...]

>         *bptr = '\0';
>         fprintf(tf, big_buf);
>         fflush(tf);

This is in announce.c, function print_mesg(). "big_buf" contains, as far
as I can see, data supplied by the remote (for example the remote
username). %'s don't seem to get filtered

So, seeing this post I was concerned :-)

I've investigated things from a Linux point of view. Most Linux vendors
will be shipping talkd from the Linux netkit. Also, most Linux vendors
listen on the talkd port by default! Good news - current Linux netkit is
NOT VULNERABLE. Older versions (2+ yrs) are.

More version details;

RedHat-7.0; talk-0.17-7.src.rpm: SAFE (write(2) used)
...
        *bptr = 0;
        write(fd, big_buf, strlen(big_buf));
...

RedHat-6.0; talk-0.11-1.src.rpm: SAFE (write(2) used)
...
        *bptr = 0;
        write(fd, big_buf, strlen(big_buf));
...

RedHat-5.2; ntalk-0.10-4.src.rpm: POSSIBLY VULNERABLE
                                  (fprintf(3) used buggily)
...
        *bptr = 0;
        fprintf(tf, big_buf);
        fflush(tf);
...


Cheers
Chris