Bugtraq mailing list archives
talkd [WAS: Re: OpenBSD Security Advisory]
From: Chris Evans <chris () SCARY BEASTS ORG>
Date: Fri, 6 Oct 2000 00:00:16 +0100
On Wed, 4 Oct 2000, K2 wrote: [...]
OK, hold on a second.... The following "snip snip" is a little long... and I have not verified it, (a guaranteed DoS though). talkd, A DEFAULT service.
[...]
*bptr = '\0'; fprintf(tf, big_buf); fflush(tf);
This is in announce.c, function print_mesg(). "big_buf" contains, as far as I can see, data supplied by the remote (for example the remote username). %'s don't seem to get filtered So, seeing this post I was concerned :-) I've investigated things from a Linux point of view. Most Linux vendors will be shipping talkd from the Linux netkit. Also, most Linux vendors listen on the talkd port by default! Good news - current Linux netkit is NOT VULNERABLE. Older versions (2+ yrs) are. More version details; RedHat-7.0; talk-0.17-7.src.rpm: SAFE (write(2) used) ... *bptr = 0; write(fd, big_buf, strlen(big_buf)); ... RedHat-6.0; talk-0.11-1.src.rpm: SAFE (write(2) used) ... *bptr = 0; write(fd, big_buf, strlen(big_buf)); ... RedHat-5.2; ntalk-0.10-4.src.rpm: POSSIBLY VULNERABLE (fprintf(3) used buggily) ... *bptr = 0; fprintf(tf, big_buf); fflush(tf); ... Cheers Chris
Current thread:
- OpenBSD Security Advisory Aaron Campbell (Oct 03)
- <Possible follow-ups>
- Re: OpenBSD Security Advisory K2 (Oct 04)
- Re: OpenBSD Security Advisory Todd C. Miller (Oct 04)
- Re: OpenBSD Security Advisory Tim Yardley (Oct 04)
- talkd [WAS: Re: OpenBSD Security Advisory] Chris Evans (Oct 05)
- Re: OpenBSD Security Advisory Jeremy C. Reed (Oct 08)