Multiple Vendor Telnet Client Env_opt_add Heap-Based Buffer Overflow Vulnerability

Bugtraq ID:	12919
Class:	Boundary Condition Error
CVE:	CVE-2005-0468
Remote:	Yes
Local:	No
Published:	Mar 28 2005 12:00AM
Updated:	Feb 22 2007 06:56PM
Credit:	Gael Delalleau is credited with the discovery of this issue.
Vulnerable:	Ubuntu Ubuntu Linux 5.0 4 powerpc Ubuntu Ubuntu Linux 5.0 4 i386 Ubuntu Ubuntu Linux 5.0 4 amd64 Trustix Secure Linux 2.2 Trustix Secure Linux 2.1 Trustix Secure Enterprise Linux 2.0 SuSE SUSE Linux Enterprise Server 8 SuSE SUSE Linux Enterprise Server 7 SuSE Linux Enterprise Server 9 SuSE Linux Desktop 1.0 SuSE Linux 8.1 SuSE Linux 8.0 i386 SuSE Linux 8.0 SuSE Linux 7.3 sparc SuSE Linux 7.3 ppc SuSE Linux 7.3 i386 SuSE Linux 7.3 SuSE Linux 7.2 i386 SuSE Linux 7.2 SuSE Linux 7.1 x86 SuSE Linux 7.1 sparc SuSE Linux 7.1 ppc SuSE Linux 7.1 alpha SuSE Linux 7.1 SuSE Linux 7.0 sparc SuSE Linux 7.0 ppc SuSE Linux 7.0 i386 SuSE Linux 7.0 alpha SuSE Linux 7.0 Sun SEAM 1.0.2 + Sun Solaris 9_x86 + Sun Solaris 9 Sun SEAM 1.0.1 Sun SEAM 1.0 Slackware Linux 10.1 Slackware Linux 10.0 Slackware Linux 9.1 Slackware Linux 9.0 Slackware Linux 8.1 Slackware Linux -current SGI ProPack 3.0 SGI IRIX 6.5.27 SGI IRIX 6.5.26 SGI IRIX 6.5.25 SGI IRIX 6.5.24 m SGI IRIX 6.5.24 SGI IRIX 6.5.23 m SGI IRIX 6.5.23 SGI IRIX 6.5.22 m SGI IRIX 6.5.22 SGI IRIX 6.5.21 m SGI IRIX 6.5.21 f SGI IRIX 6.5.21 SGI IRIX 6.5.20 m SGI IRIX 6.5.20 f SGI IRIX 6.5.20 SGI IRIX 6.5.19 m SGI IRIX 6.5.19 f SGI IRIX 6.5.19 SGI IRIX 6.5.18 m SGI IRIX 6.5.18 f SGI IRIX 6.5.18 SGI IRIX 6.5.17 m SGI IRIX 6.5.17 f SGI IRIX 6.5.17 SGI IRIX 6.5.16 m SGI IRIX 6.5.16 f SGI IRIX 6.5.16 SGI IRIX 6.5.15 m SGI IRIX 6.5.15 f SGI IRIX 6.5.15 SGI IRIX 6.5.14 m SGI IRIX 6.5.14 f SGI IRIX 6.5.14 SGI IRIX 6.5.13 m SGI IRIX 6.5.13 f SGI IRIX 6.5.13 SGI IRIX 6.5.12 m SGI IRIX 6.5.12 f SGI IRIX 6.5.12 SGI IRIX 6.5.11 m SGI IRIX 6.5.11 f SGI IRIX 6.5.11 SGI IRIX 6.5.10 m SGI IRIX 6.5.10 f SGI IRIX 6.5.10 SGI IRIX 6.5.9 m SGI IRIX 6.5.9 f SGI IRIX 6.5.9 SGI IRIX 6.5.8 m SGI IRIX 6.5.8 f SGI IRIX 6.5.8 SGI IRIX 6.5.7 m SGI IRIX 6.5.7 f SGI IRIX 6.5.7 SGI IRIX 6.5.6 m SGI IRIX 6.5.6 f SGI IRIX 6.5.6 SGI IRIX 6.5.5 m SGI IRIX 6.5.5 f SGI IRIX 6.5.5 SGI IRIX 6.5.4 m SGI IRIX 6.5.4 f SGI IRIX 6.5.4 SGI IRIX 6.5.3 m SGI IRIX 6.5.3 f SGI IRIX 6.5.3 SGI IRIX 6.5.2 m SGI IRIX 6.5.2 f SGI IRIX 6.5.2 SGI IRIX 6.5.1 SGI IRIX 6.5 20 SGI IRIX 6.5 .19m SGI IRIX 6.5 .19f SGI IRIX 6.5 SGI IRIX 6.4 SGI IRIX 6.3 SGI IRIX 6.2 SGI IRIX 6.1 SGI IRIX 6.0.1 XFS SGI IRIX 6.0.1 SGI IRIX 6.0 SGI IRIX 5.3 XFS SGI IRIX 5.3 SGI IRIX 5.2 SGI IRIX 5.1.1 SGI IRIX 5.1 SGI IRIX 5.0.1 SGI IRIX 5.0 SGI IRIX 4.0.5 IPR SGI IRIX 4.0.5 H SGI IRIX 4.0.5 G SGI IRIX 4.0.5 F SGI IRIX 4.0.5 E SGI IRIX 4.0.5 D SGI IRIX 4.0.5 A SGI IRIX 4.0.5 (IOP) SGI IRIX 4.0.5 SGI IRIX 4.0.4 T SGI IRIX 4.0.4 B SGI IRIX 4.0.4 SGI IRIX 4.0.3 SGI IRIX 4.0.2 SGI IRIX 4.0.1 T SGI IRIX 4.0.1 SGI IRIX 4.0 SGI IRIX 3.3.3 SGI IRIX 3.3.2 SGI IRIX 3.3.1 SGI IRIX 3.3 SGI IRIX 3.2 SCO Unixware 7.1.4 SCO Unixware 7.1.3 SCO Unixware 7.1.1 SCO Open Server 5.0.7 SCO Open Server 5.0.6 S.u.S.E. Linux Personal 9.2 x86_64 S.u.S.E. Linux Personal 9.2 S.u.S.E. Linux Personal 9.1 x86_64 S.u.S.E. Linux Personal 9.1 S.u.S.E. Linux Personal 9.0 x86_64 S.u.S.E. Linux Personal 9.0 S.u.S.E. Linux Personal 8.2 S.u.S.E. Linux Enterprise Server for S/390 9.0 Redhat Linux 9.0 i386 Redhat Linux 7.3 i686 Redhat Linux 7.3 i386 Redhat Linux 7.3 Redhat Fedora Core1 Redhat Advanced Workstation for the Itanium Processor 2.1 IA64 Redhat Advanced Workstation for the Itanium Processor 2.1 Openwall Openwall GNU/*/Linux 1.1 Openwall Openwall GNU/*/Linux 1.0 Openwall Openwall GNU/*/Linux (Owl)-current OpenBSD OpenBSD 3.6 OpenBSD OpenBSD 3.5 Netkit Linux Netkit 0.17.17 Netkit Linux Netkit 0.17 Netkit Linux Netkit 0.16 Netkit Linux Netkit 0.15 Netkit Linux Netkit 0.14 Netkit Linux Netkit 0.12 Netkit Linux Netkit 0.11 Netkit Linux Netkit 0.10 Netkit Linux Netkit 0.9 NetBSD NetBSD 2.0.2 NetBSD NetBSD 2.0.1 NetBSD NetBSD 2.0 MIT Kerberos 5 1.4 MIT Kerberos 5 1.3.6 + Gentoo Linux + Redhat Fedora Core3 + Redhat Fedora Core2 + Redhat Fedora Core1 + Trustix Secure Enterprise Linux 2.0 + Trustix Secure Linux 2.2 + Trustix Secure Linux 2.1 MIT Kerberos 5 1.3.5 MIT Kerberos 5 1.3.4 MIT Kerberos 5 1.3.3 MIT Kerberos 5 1.3.2 MIT Kerberos 5 1.3.1 MIT Kerberos 5 1.3 -alpha1 MIT Kerberos 5 1.3 MIT Kerberos 5 1.2.8 MIT Kerberos 5 1.2.7 MIT Kerberos 5 1.2.6 MIT Kerberos 5 1.2.5 MIT Kerberos 5 1.2.4 MIT Kerberos 5 1.2.3 MIT Kerberos 5 1.2.2 -beta1 MIT Kerberos 5 1.2.2 MIT Kerberos 5 1.2.1 MIT Kerberos 5 1.2 MIT Kerberos 5 1.1.1 - Redhat Linux 7.1 ia64 - Redhat Linux 7.1 i386 - Redhat Linux 7.1 alpha - Redhat Linux 7.1 - Redhat Linux 7.0 i386 - Redhat Linux 7.0 alpha - Redhat Linux 7.0 + Redhat Linux 6.2 sparc + Redhat Linux 6.2 i386 + Redhat Linux 6.2 alpha + Redhat Linux 6.2 MIT Kerberos 5 1.1 MIT Kerberos 5 1.0.8 MIT Kerberos 5 1.0.6 MIT Kerberos 5 1.0 Heimdal Heimdal 0.6.3 Heimdal Heimdal 0.6.2 Heimdal Heimdal 0.6.1 Heimdal Heimdal 0.6 Heimdal Heimdal 0.5.3 Heimdal Heimdal 0.5.2 Heimdal Heimdal 0.5.1 Heimdal Heimdal 0.5 .0 Gentoo Linux FreeBSD FreeBSD 5.4 -PRERELEASE FreeBSD FreeBSD 5.3 -STABLE FreeBSD FreeBSD 5.3 -RELEASE FreeBSD FreeBSD 5.3 FreeBSD FreeBSD 5.2.1 -RELEASE FreeBSD FreeBSD 5.2 -RELENG FreeBSD FreeBSD 5.2 -RELEASE FreeBSD FreeBSD 5.2 FreeBSD FreeBSD 5.1 -RELENG FreeBSD FreeBSD 5.1 -RELEASE/Alpha FreeBSD FreeBSD 5.1 -RELEASE-p5 FreeBSD FreeBSD 5.1 -RELEASE FreeBSD FreeBSD 5.1 FreeBSD FreeBSD 5.0 -RELENG FreeBSD FreeBSD 5.0 -RELEASE-p14 FreeBSD FreeBSD 5.0 alpha FreeBSD FreeBSD 5.0 FreeBSD FreeBSD 4.11 -STABLE FreeBSD FreeBSD 4.10 -RELENG FreeBSD FreeBSD 4.10 -RELEASE FreeBSD FreeBSD 4.10 FreeBSD FreeBSD 4.9 -RELENG FreeBSD FreeBSD 4.9 -PRERELEASE FreeBSD FreeBSD 4.9 FreeBSD FreeBSD 4.8 -RELENG FreeBSD FreeBSD 4.8 -RELEASE-p7 FreeBSD FreeBSD 4.8 -PRERELEASE FreeBSD FreeBSD 4.8 FreeBSD FreeBSD 4.7 -STABLE FreeBSD FreeBSD 4.7 -RELENG FreeBSD FreeBSD 4.7 -RELEASE-p17 FreeBSD FreeBSD 4.7 -RELEASE FreeBSD FreeBSD 4.7 FreeBSD FreeBSD 4.6.2 FreeBSD FreeBSD 4.6 -STABLE FreeBSD FreeBSD 4.6 -RELENG FreeBSD FreeBSD 4.6 -RELEASE-p20 FreeBSD FreeBSD 4.6 -RELEASE FreeBSD FreeBSD 4.6 FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07 FreeBSD FreeBSD 4.5 -STABLE FreeBSD FreeBSD 4.5 -RELENG FreeBSD FreeBSD 4.5 -RELEASE-p32 FreeBSD FreeBSD 4.5 -RELEASE FreeBSD FreeBSD 4.5 FreeBSD FreeBSD 4.4 -STABLE FreeBSD FreeBSD 4.4 -RELENG FreeBSD FreeBSD 4.4 -RELENG FreeBSD FreeBSD 4.4 -RELEASE-p42 FreeBSD FreeBSD 4.4 FreeBSD FreeBSD 4.3 -STABLE FreeBSD FreeBSD 4.3 -RELENG FreeBSD FreeBSD 4.3 -RELEASE-p38 FreeBSD FreeBSD 4.3 -RELEASE FreeBSD FreeBSD 4.3 FreeBSD FreeBSD 4.2 -STABLEpre122300 FreeBSD FreeBSD 4.2 -STABLEpre050201 FreeBSD FreeBSD 4.2 -STABLE FreeBSD FreeBSD 4.2 -RELEASE FreeBSD FreeBSD 4.2 FreeBSD FreeBSD 4.1.1 -STABLE FreeBSD FreeBSD 4.1.1 -RELEASE FreeBSD FreeBSD 4.1.1 FreeBSD FreeBSD 4.1 FreeBSD FreeBSD 4.0 .x FreeBSD FreeBSD 4.0 -RELENG FreeBSD FreeBSD 4.0 alpha FreeBSD FreeBSD 4.0 F5 BIG-IP 4.6.2 F5 BIG-IP 4.6 F5 BIG-IP 4.5.12 F5 BIG-IP 4.5.11 F5 BIG-IP 4.5.10 F5 BIG-IP 4.5.9 F5 BIG-IP 4.5.6 F5 BIG-IP 4.5 F5 BIG-IP 4.4 F5 BIG-IP 4.3 F5 BIG-IP 4.2 F5 BIG-IP 4.0 F5 3-DNS 4.6.2 F5 3-DNS 4.6 F5 3-DNS 4.5.12 F5 3-DNS 4.5.11 F5 3-DNS 4.5 F5 3-DNS 4.4 F5 3-DNS 4.3 F5 3-DNS 4.2 Debian Linux 3.0 sparc Debian Linux 3.0 s/390 Debian Linux 3.0 ppc Debian Linux 3.0 mipsel Debian Linux 3.0 mips Debian Linux 3.0 m68k Debian Linux 3.0 ia-64 Debian Linux 3.0 ia-32 Debian Linux 3.0 hppa Debian Linux 3.0 arm Debian Linux 3.0 alpha Avaya S8710 R2.0.1 Avaya S8710 R2.0.0 Avaya S8700 R2.0.1 Avaya S8700 R2.0.0 Avaya S8500 R2.0.1 Avaya S8500 R2.0.0 Avaya S8300 R2.0.1 Avaya S8300 R2.0.0 Avaya Modular Messaging (MSS) 2.0 Avaya Modular Messaging (MSS) 1.1 Avaya Modular Messaging S3400 Avaya MN100 Avaya Intuity LX Avaya CVLAN Avaya Converged Communications Server 2.0 Apple Mac OS X Server 10.3.8 Apple Mac OS X Server 10.3.7 Apple Mac OS X Server 10.3.6 Apple Mac OS X Server 10.3.5 Apple Mac OS X Server 10.3.4 Apple Mac OS X Server 10.3.3 Apple Mac OS X Server 10.3.2 Apple Mac OS X Server 10.3.1 Apple Mac OS X Server 10.3 Apple Mac OS X Server 10.2.8 Apple Mac OS X Server 10.2.7 Apple Mac OS X Server 10.2.6 Apple Mac OS X Server 10.2.5 Apple Mac OS X Server 10.2.4 Apple Mac OS X Server 10.2.3 Apple Mac OS X Server 10.2.2 Apple Mac OS X Server 10.2.1 Apple Mac OS X Server 10.2 Apple Mac OS X Server 10.1.5 Apple Mac OS X Server 10.1.4 Apple Mac OS X Server 10.1.3 Apple Mac OS X Server 10.1.2 Apple Mac OS X Server 10.1.1 Apple Mac OS X Server 10.1 Apple Mac OS X Server 10.0 Apple Mac OS X 10.3.8 Apple Mac OS X 10.3.7 Apple Mac OS X 10.3.6 Apple Mac OS X 10.3.5 Apple Mac OS X 10.3.4 Apple Mac OS X 10.3.3 Apple Mac OS X 10.3.2 Apple Mac OS X 10.3.1 Apple Mac OS X 10.3 Apple Mac OS X 10.2.8 Apple Mac OS X 10.2.7 Apple Mac OS X 10.2.6 Apple Mac OS X 10.2.5 Apple Mac OS X 10.2.4 Apple Mac OS X 10.2.3 Apple Mac OS X 10.2.2 Apple Mac OS X 10.2.1 Apple Mac OS X 10.2 Apple Mac OS X 10.1.5 Apple Mac OS X 10.1.4 Apple Mac OS X 10.1.3 Apple Mac OS X 10.1.2 Apple Mac OS X 10.1.1 Apple Mac OS X 10.1 Apple Mac OS X 10.1 Apple Mac OS X 10.0.4 Apple Mac OS X 10.0.3 Apple Mac OS X 10.0.2 Apple Mac OS X 10.0.1 Apple Mac OS X 10.0 3 Apple Mac OS X 10.0 ALT Linux ALT Linux Junior 2.3 ALT Linux ALT Linux Compact 2.3
Not Vulnerable:	Slackware Linux 10.1 Slackware Linux 10.0 Slackware Linux 9.1 Slackware Linux 9.0 Slackware Linux 8.1 Slackware Linux -current NetBSD NetBSD 2.0.3 Heimdal Heimdal 0.6.4 F5 BIG-IP 4.6.3 F5 BIG-IP 4.5.13 F5 3-DNS 4.6.3 F5 3-DNS 4.5.13

Multiple Vendor Telnet Client Env_opt_add Heap-Based Buffer Overflow Vulnerability

Multiple vendors' Telnet client applications are reported prone to a remote buffer-overflow vulnerability. This vulnerability reportedly occurs in the 'env_opt_add()' function in the 'telnet.c' source file, which is apparently common source for all the affected vendors.

A remote attacker may exploit this vulnerability to execute arbitrary code on some of the affected platforms in the context of a user that is using the vulnerable Telnet client to connect to a malicious server.

Multiple Vendor Telnet Client Env_opt_add Heap-Based Buffer Overflow Vulnerability


The following proof-of-concept code, designed to simply trigger this issue, has been made available:

perl -e 'print "\377", "\372\42\3\377\377\3\3" x 43, "\377\360"' | nc -l 23

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]

Multiple Vendor Telnet Client Env_opt_add Heap-Based Buffer Overflow Vulnerability

Solution:
Please see the referenced advisories for details on obtaining and applying the appropriate updates.


Heimdal Heimdal 0.6

• Heimdal heimdal-0.6.4.tar.gz
  ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.6.4.tar.gz

Heimdal Heimdal 0.6.1

• Heimdal heimdal-0.6.4.tar.gz
  ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.6.4.tar.gz

MIT Kerberos 5 1.3.3

• Fedora krb5-debuginfo-1.3.6-4.i386.rpm
  RedHat Fedora Core 2
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/


• Fedora krb5-debuginfo-1.3.6-4.x86_64.rpm
  RedHat Fedora Core 2
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/


• Fedora krb5-devel-1.3.6-4.i386.rpm
  RedHat Fedora Core 2
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/


• Fedora krb5-devel-1.3.6-4.x86_64.rpm
  RedHat Fedora Core 2
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/


• Fedora krb5-libs-1.3.6-4.i386.rpm
  RedHat Fedora Core 2
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/


• Fedora krb5-libs-1.3.6-4.x86_64.rpm
  RedHat Fedora Core 2
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/


• Fedora krb5-server-1.3.6-4.i386.rpm
  RedHat Fedora Core 2
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/


• Fedora krb5-server-1.3.6-4.x86_64.rpm
  RedHat Fedora Core 2
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/


• Fedora krb5-workstation-1.3.6-4.i386.rpm
  RedHat Fedora Core 2
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/


• Fedora krb5-workstation-1.3.6-4.x86_64.rpm
  RedHat Fedora Core 2
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

MIT Kerberos 5 1.3.6

• Ubuntu krb5-admin-server_1.3.6-1ubuntu0.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-serv er_1.3.6-1ubuntu0.1_amd64.deb


• Ubuntu krb5-admin-server_1.3.6-1ubuntu0.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-serv er_1.3.6-1ubuntu0.1_powerpc.deb


• Ubuntu krb5-clients_1.3.6-1ubuntu0.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1. 3.6-1ubuntu0.1_amd64.deb


• Ubuntu krb5-clients_1.3.6-1ubuntu0.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1. 3.6-1ubuntu0.1_i386.deb


• Ubuntu krb5-clients_1.3.6-1ubuntu0.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1. 3.6-1ubuntu0.1_powerpc.deb


• Ubuntu krb5-ftpd_1.3.6-1ubuntu0.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.3.6 -1ubuntu0.1_amd64.deb


• Ubuntu krb5-ftpd_1.3.6-1ubuntu0.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.3.6 -1ubuntu0.1_i386.deb


• Ubuntu krb5-ftpd_1.3.6-1ubuntu0.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.3.6 -1ubuntu0.1_powerpc.deb


• Ubuntu krb5-kdc_1.3.6-1ubuntu0.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.3.6- 1ubuntu0.1_amd64.deb


• Ubuntu krb5-kdc_1.3.6-1ubuntu0.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.3.6- 1ubuntu0.1_i386.deb


• Ubuntu krb5-kdc_1.3.6-1ubuntu0.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.3.6- 1ubuntu0.1_powerpc.deb


• Ubuntu krb5-rsh-server_1.3.6-1ubuntu0.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server _1.3.6-1ubuntu0.1_amd64.deb


• Ubuntu krb5-rsh-server_1.3.6-1ubuntu0.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server _1.3.6-1ubuntu0.1_i386.deb


• Ubuntu krb5-rsh-server_1.3.6-1ubuntu0.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server _1.3.6-1ubuntu0.1_powerpc.deb


• Ubuntu krb5-telnetd_1.3.6-1ubuntu0.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-telnetd_1. 3.6-1ubuntu0.1_amd64.deb


• Ubuntu krb5-telnetd_1.3.6-1ubuntu0.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-telnetd_1. 3.6-1ubuntu0.1_i386.deb


• Ubuntu krb5-telnetd_1.3.6-1ubuntu0.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-telnetd_1. 3.6-1ubuntu0.1_powerpc.deb


• Ubuntu krb5-user_1.3.6-1ubuntu0.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-user_1.3.6 -1ubuntu0.1_amd64.deb


• Ubuntu krb5-user_1.3.6-1ubuntu0.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-user_1.3.6 -1ubuntu0.1_i386.deb


• Ubuntu krb5-user_1.3.6-1ubuntu0.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-user_1.3.6 -1ubuntu0.1_powerpc.deb


• Ubuntu libkadm1-kerberos4kth_1.2.2-11.1ubuntu2.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb4/libkadm1-kerberos4k th_1.2.2-11.1ubuntu2.1_amd64.deb


• Ubuntu libkadm55_1.3.6-1ubuntu0.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.3.6-1ub untu0.1_amd64.deb


• Ubuntu libkadm55_1.3.6-1ubuntu0.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.3.6-1ub untu0.1_i386.deb


• Ubuntu libkadm55_1.3.6-1ubuntu0.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.3.6-1ub untu0.1_powerpc.deb


• Ubuntu libkrb5-dev_1.3.6-1ubuntu0.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.3.6-1 ubuntu0.1_amd64.deb


• Ubuntu libkrb5-dev_1.3.6-1ubuntu0.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.3.6-1 ubuntu0.1_i386.deb


• Ubuntu libkrb5-dev_1.3.6-1ubuntu0.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.3.6-1 ubuntu0.1_powerpc.deb


• Ubuntu libkrb53_1.3.6-1ubuntu0.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb53_1.3.6-1ubu ntu0.1_amd64.deb


• Ubuntu libkrb53_1.3.6-1ubuntu0.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb53_1.3.6-1ubu ntu0.1_i386.deb


• Ubuntu libkrb53_1.3.6-1ubuntu0.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb53_1.3.6-1ubu ntu0.1_powerpc.deb


• Ubuntu libkthacl1-kerberos4kth_1.2.2-11.1ubuntu2.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb4/libkthacl1-kerberos 4kth_1.2.2-11.1ubuntu2.1_i386.deb


• Ubuntu libkthacl1-kerberos4kth_1.2.2-11.1ubuntu2.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb4/libkthacl1-kerberos 4kth_1.2.2-11.1ubuntu2.1_powerpc.deb


• Ubuntu kerberos4kth-clients-x_1.2.2-11.1ubuntu2.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb4/kerberos4kth-cl ients-x_1.2.2-11.1ubuntu2.1_amd64.deb


• Ubuntu krb5-admin-server_1.3.6-1ubuntu0.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-serv er_1.3.6-1ubuntu0.1_amd64.deb


• Ubuntu krb5-admin-server_1.3.6-1ubuntu0.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-serv er_1.3.6-1ubuntu0.1_i386.deb


• Ubuntu krb5-admin-server_1.3.6-1ubuntu0.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-serv er_1.3.6-1ubuntu0.1_powerpc.deb


• Ubuntu krb5-clients_1.3.6-1ubuntu0.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1. 3.6-1ubuntu0.1_amd64.deb


• Ubuntu krb5-clients_1.3.6-1ubuntu0.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1. 3.6-1ubuntu0.1_i386.deb


• Ubuntu krb5-clients_1.3.6-1ubuntu0.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1. 3.6-1ubuntu0.1_powerpc.deb


• Ubuntu krb5-doc_1.3.6-1ubuntu0.1_all.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5-doc_1.3.6-1ubu ntu0.1_all.deb


• Ubuntu krb5-ftpd_1.3.6-1ubuntu0.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.3.6 -1ubuntu0.1_amd64.deb


• Ubuntu krb5-ftpd_1.3.6-1ubuntu0.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.3.6 -1ubuntu0.1_i386.deb


• Ubuntu krb5-ftpd_1.3.6-1ubuntu0.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.3.6 -1ubuntu0.1_powerpc.deb


• Ubuntu krb5-kdc_1.3.6-1ubuntu0.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.3.6- 1ubuntu0.1_amd64.deb


• Ubuntu krb5-kdc_1.3.6-1ubuntu0.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.3.6- 1ubuntu0.1_i386.deb


• Ubuntu krb5-kdc_1.3.6-1ubuntu0.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.3.6- 1ubuntu0.1_powerpc.deb


• Ubuntu krb5-rsh-server_1.3.6-1ubuntu0.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server _1.3.6-1ubuntu0.1_amd64.deb


• Ubuntu krb5-rsh-server_1.3.6-1ubuntu0.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server _1.3.6-1ubuntu0.1_i386.deb


• Ubuntu krb5-rsh-server_1.3.6-1ubuntu0.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server _1.3.6-1ubuntu0.1_powerpc.deb


• Ubuntu krb5-telnetd_1.3.6-1ubuntu0.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-telnetd_1. 3.6-1ubuntu0.1_amd64.deb


• Ubuntu krb5-telnetd_1.3.6-1ubuntu0.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-telnetd_1. 3.6-1ubuntu0.1_i386.deb


• Ubuntu krb5-telnetd_1.3.6-1ubuntu0.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-telnetd_1. 3.6-1ubuntu0.1_powerpc.deb


• Ubuntu krb5-user_1.3.6-1ubuntu0.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-user_1.3.6 -1ubuntu0.1_amd64.deb


• Ubuntu krb5-user_1.3.6-1ubuntu0.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-user_1.3.6 -1ubuntu0.1_i386.deb


• Ubuntu krb5-user_1.3.6-1ubuntu0.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-user_1.3.6 -1ubuntu0.1_powerpc.deb


• Ubuntu libkadm1-kerberos4kth_1.2.2-11.1ubuntu2.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb4/libkadm1-kerberos4k th_1.2.2-11.1ubuntu2.1_i386.deb


• Ubuntu libkadm55_1.3.6-1ubuntu0.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.3.6-1ub untu0.1_amd64.deb


• Ubuntu libkadm55_1.3.6-1ubuntu0.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.3.6-1ub untu0.1_i386.deb


• Ubuntu libkadm55_1.3.6-1ubuntu0.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.3.6-1ub untu0.1_powerpc.deb


• Ubuntu libkafs0-kerberos4kth_1.2.2-11.1ubuntu2.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb4/libkafs0-kerberos4k th_1.2.2-11.1ubuntu2.1_i386.deb


• Ubuntu libkrb5-dev_1.3.6-1ubuntu0.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.3.6-1 ubuntu0.1_amd64.deb


• Ubuntu libkrb5-dev_1.3.6-1ubuntu0.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.3.6-1 ubuntu0.1_i386.deb


• Ubuntu libkrb5-dev_1.3.6-1ubuntu0.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.3.6-1 ubuntu0.1_powerpc.deb


• Ubuntu libkrb53_1.3.6-1ubuntu0.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb53_1.3.6-1ubu ntu0.1_amd64.deb


• Ubuntu libkrb53_1.3.6-1ubuntu0.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb53_1.3.6-1ubu ntu0.1_i386.deb


• Ubuntu libkrb53_1.3.6-1ubuntu0.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb53_1.3.6-1ubu ntu0.1_powerpc.deb

Apple Mac OS X Server 10.3.8

• Apple SecUpdSrvr2005-003Pan.dmg
  http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty1.pl/product=05530&plat form=osx&method=sa/SecUpdSrvr2005-003Pan.dmg

Debian Linux 3.0 mips

• Debian telnet_0.17-18woody3_mips.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/n/netkit-telnet/telnet_0. 17-18woody3_mips.deb


• Debian telnetd_0.17-18woody3_mips.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/n/netkit-telnet/telnetd_0 .17-18woody3_mips.deb

Debian Linux 3.0 mipsel

• Debian telnet_0.17-18woody3_mipsel.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/n/netkit-telnet/telnet_0. 17-18woody3_mipsel.deb


• Debian telnetd_0.17-18woody3_mipsel.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/n/netkit-telnet/telnetd_0 .17-18woody3_mipsel.deb

SCO Unixware 7.1.1

• SCO SCOSA-2005.21
  ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.21

SCO Unixware 7.1.4

• SCO SCOSA-2005.21
  ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.21

Multiple Vendor Telnet Client Env_opt_add Heap-Based Buffer Overflow Vulnerability

References:

• [security-announce] I: updated packages available (ALT Linux)
  
• 014: SECURITY FIX: March 30, 2005 -OpenBSD 3.6 buffer overflows in telnet(1) (OpenBSD)
  
• 031: SECURITY FIX: March 30, 2005 - OpenBSD 3.5 buffer overflows in telnet(1) (OpenBSD)
  
• 2005-04-20: telnet vulnerabilities (Heimdal)
  
• 20051101-00969 - NetBSD 2.0.3 (UNIRAS)
  
• ASA-2005-088 - Vulnerabilities in krb5 - (RHSA-2005-330) (Avaya)
  
• ASA-2005-132 - telnet (Avaya)
  
• Buffer Overflow in telnet(1) Client Software Also Affects Kerberized Telnet (Sun)
  
• Changes made between Owl 1.1 and Owl-current. (Openwall Project)
  
• CLSA-2005:962 - Fix for buffer overflows in telnet client (Conectiva)
  
• Homepage (F5 Software)
  
• MITKRB5-SA-2005-001-telnet (MIT)
  
• NetBSD Homepage (NetBSD)
  
• RHSA-2005:327-10 - telnet security update (RedHat)
  
• RHSA-2005:330-06 - krb5 security update (RedHat)
  
• Security Update 2005-003 (Apple)
  
• Sun Alert ID: 57755 - Buffer Overflow in telnet(1) Client Software (Sun)
  
• iDEFENSE Security Advisory 03.28.05: Multiple Telnet Client env_opt_add() Buffer (iDEFENSE)
  
• Re: iDEFENSE Security Advisory 03.28.05: Multiple Telnet Client slc_add_reply() (Tavis Ormandy )
  
• Re: iDEFENSE Security Advisory 03.28.05: Multiple Telnet Client slc_add_reply() ("Gael Delalleau" )