Linux NetKit-B update.

[dholland () hcs HARVARD EDU (David Holland)]

Linux NetKit-B-0.07 has been released (check comp.os.linux.announce
for details).

This fixes the following security problems/hazards:

1. Possible overrun copying DNS results into a buffer on the stack in
fingerd while processing the linux-specific -w ("welcome banner")
option. Patch: convert sprintf to snprintf.

2. Possible overrun copying DNS results into a buffer on the stack in
talkd. This affected FreeBSD, NetBSD, and OpenBSD as well; all have
integrated a fix into the current development tree. It may affect
vendors... Patch: convert sprintf to snprintf in announce.c.

3. Possible overrun copying $TERM into a buffer on the stack in
rlogin. This affects lots of platforms, but has been mentioned here
before I think. Patch: use snprintf or strncpy.

4. Suspicious (but not necessarily exploitable) handling of buffers on
the stack in rshd. Patch: convert sprintf to snprintf.

5. rsh didn't drop root before execing rlogin. This is not a big deal
except in conjunction with (3) -- chmod -s on rlogin is *not*
sufficient.

6. Buffer overflow in ping mentioned yesterday, but it's not on the
stack and consequently probably not exploitable. Patch: use snprintf.

7. Integrated a fix for the telnetd environment bug (old news, but it
hadn't got into the standard linux sources yet.)

Also, there was a bug in sliplogin where it did "setuid(0); system()"
without clearing the environment. A fixed version has been available
for Linux and FreeBSD for some time, but the news had not reached
NetBSD until last week. Vendor versions could be vulnerable.

--
   - David A. Holland          | Number of words in the English language that
     dholland () hcs harvard edu  | exist because of typos or misreadings: 381