Red Hat 9062 Published by

A telnet security update is available for Red Hat Enterprise Linux 2.1, 3, and 4

----------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Important: telnet security update
Advisory ID: RHSA-2005:327-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-327.html
Issue date: 2005-03-28
Updated on: 2005-03-28
Product: Red Hat Enterprise Linux
CVE Names: CAN-2005-0468 CAN-2005-0469
----------------------------------------------------------------------

1. Summary:

Updated telnet packages that fix two buffer overflow vulnerabilities are now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64



3. Problem description:

The telnet package provides a command line telnet client. The telnet-server package includes a telnet daemon, telnetd, that supports remote login to the host machine.

Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0468 and CAN-2005-0469 to these issues.

Additionally, the following bugs have been fixed in these erratum packages for Red Hat Enterprise Linux 2.1 and Red Hat Enterprise Linux 3:

- - telnetd could loop on an error in the child side process

- - There was a race condition in telnetd on a wtmp lock on some occasions

- - The command line in the process table was sometimes too long and caused bad output from the ps command

- - The 8-bit binary option was not working

Users of telnet should upgrade to this updated package, which contains backported patches to correct these issues.

Red Hat would like to thank iDEFENSE for their responsible disclosure of this issue.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/):

126858 - Too long /proc/X/cmdline: bad ps output when piped to less/more
145004 - telnetd cleanup() race condition with syslog in signal handler
145636 - [PATCH] telnetd loops on child IO error
147003 - [RHEL3] telnetd cleanup() race condition with syslog in signal handler
151297 - CAN-2005-0469 slc_add_reply() Buffer Overflow Vulnerability
151301 - CAN-2005-0468 env_opt_add() Buffer Overflow Vulnerability

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/telnet-0.17-20.EL2.3.src.rpm
417f308264da21ba52f490671078437d telnet-0.17-20.EL2.3.src.rpm

i386:
9844ce440580371e21adb6e240f7ef32 telnet-0.17-20.EL2.3.i386.rpm
6a8a735c26c81c10fd03d25ed001c89c telnet-server-0.17-20.EL2.3.i386.rpm

ia64:
17e5e124770f7772cf0d4c4e24650b87 telnet-0.17-20.EL2.3.ia64.rpm
94149177b916123e92c80bf5412112fc telnet-server-0.17-20.EL2.3.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/telnet-0.17-20.EL2.3.src.rpm
417f308264da21ba52f490671078437d telnet-0.17-20.EL2.3.src.rpm

ia64:
17e5e124770f7772cf0d4c4e24650b87 telnet-0.17-20.EL2.3.ia64.rpm
94149177b916123e92c80bf5412112fc telnet-server-0.17-20.EL2.3.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/telnet-0.17-20.EL2.3.src.rpm
417f308264da21ba52f490671078437d telnet-0.17-20.EL2.3.src.rpm

i386:
9844ce440580371e21adb6e240f7ef32 telnet-0.17-20.EL2.3.i386.rpm
6a8a735c26c81c10fd03d25ed001c89c telnet-server-0.17-20.EL2.3.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/telnet-0.17-20.EL2.3.src.rpm
417f308264da21ba52f490671078437d telnet-0.17-20.EL2.3.src.rpm

i386:
9844ce440580371e21adb6e240f7ef32 telnet-0.17-20.EL2.3.i386.rpm
6a8a735c26c81c10fd03d25ed001c89c telnet-server-0.17-20.EL2.3.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/telnet-0.17-26.EL3.2.src.rpm
9d246538ceb4ea06807737bf487bf29d telnet-0.17-26.EL3.2.src.rpm

i386:
a1edb03210ac63b30f6332a2e4227dc9 telnet-0.17-26.EL3.2.i386.rpm
6eea6c08ea68f1ea8a177c63016e9935 telnet-server-0.17-26.EL3.2.i386.rpm

ia64:
540dfa1463fb15b035371cb8815c8003 telnet-0.17-26.EL3.2.ia64.rpm
cf5ea891b305e4e150b31f012e5bd0b7 telnet-server-0.17-26.EL3.2.ia64.rpm

ppc:
004cd42520a5052fbbf6f150ebec5308 telnet-0.17-26.EL3.2.ppc.rpm
5246c393f0b38a64a47efc8b091d3cc3 telnet-server-0.17-26.EL3.2.ppc.rpm

s390:
feb70dd0f45a9e08d5d49fcb773924f2 telnet-0.17-26.EL3.2.s390.rpm
9290204b8e84f96b024ffe98da834174 telnet-server-0.17-26.EL3.2.s390.rpm

s390x:
8d7419651888f9943e82918b73c84b09 telnet-0.17-26.EL3.2.s390x.rpm
6dc6d17c2086c6756a74e9e48552b634 telnet-server-0.17-26.EL3.2.s390x.rpm

x86_64:
7d226b52aae9119e23645d3243bd821c telnet-0.17-26.EL3.2.x86_64.rpm
d48f86ee42581c351d565aa78d373204 telnet-server-0.17-26.EL3.2.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/telnet-0.17-26.EL3.2.src.rpm
9d246538ceb4ea06807737bf487bf29d telnet-0.17-26.EL3.2.src.rpm

i386:
a1edb03210ac63b30f6332a2e4227dc9 telnet-0.17-26.EL3.2.i386.rpm
6eea6c08ea68f1ea8a177c63016e9935 telnet-server-0.17-26.EL3.2.i386.rpm

x86_64:
7d226b52aae9119e23645d3243bd821c telnet-0.17-26.EL3.2.x86_64.rpm
d48f86ee42581c351d565aa78d373204 telnet-server-0.17-26.EL3.2.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/telnet-0.17-26.EL3.2.src.rpm
9d246538ceb4ea06807737bf487bf29d telnet-0.17-26.EL3.2.src.rpm

i386:
a1edb03210ac63b30f6332a2e4227dc9 telnet-0.17-26.EL3.2.i386.rpm
6eea6c08ea68f1ea8a177c63016e9935 telnet-server-0.17-26.EL3.2.i386.rpm

ia64:
540dfa1463fb15b035371cb8815c8003 telnet-0.17-26.EL3.2.ia64.rpm
cf5ea891b305e4e150b31f012e5bd0b7 telnet-server-0.17-26.EL3.2.ia64.rpm

x86_64:
7d226b52aae9119e23645d3243bd821c telnet-0.17-26.EL3.2.x86_64.rpm
d48f86ee42581c351d565aa78d373204 telnet-server-0.17-26.EL3.2.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/telnet-0.17-26.EL3.2.src.rpm
9d246538ceb4ea06807737bf487bf29d telnet-0.17-26.EL3.2.src.rpm

i386:
a1edb03210ac63b30f6332a2e4227dc9 telnet-0.17-26.EL3.2.i386.rpm
6eea6c08ea68f1ea8a177c63016e9935 telnet-server-0.17-26.EL3.2.i386.rpm

ia64:
540dfa1463fb15b035371cb8815c8003 telnet-0.17-26.EL3.2.ia64.rpm
cf5ea891b305e4e150b31f012e5bd0b7 telnet-server-0.17-26.EL3.2.ia64.rpm

x86_64:
7d226b52aae9119e23645d3243bd821c telnet-0.17-26.EL3.2.x86_64.rpm
d48f86ee42581c351d565aa78d373204 telnet-server-0.17-26.EL3.2.x86_64.rpm

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/telnet-0.17-31.EL4.2.src.rpm
a3faf4a95d925197b7ec88861a272f68 telnet-0.17-31.EL4.2.src.rpm

i386:
c03d8fbd5c1a1dfd334263e034626bef telnet-0.17-31.EL4.2.i386.rpm
095477b3fd6797a4dcb71eaa6fe40fb9 telnet-server-0.17-31.EL4.2.i386.rpm

ia64:
c1eaa58f26e47c3c8370ff2189b78b81 telnet-0.17-31.EL4.2.ia64.rpm
3e47cc360ea07b28c16da6fdfb88c39e telnet-server-0.17-31.EL4.2.ia64.rpm

ppc:
22fc96070dc40b3686d23b62f213069c telnet-0.17-31.EL4.2.ppc.rpm
53e773d2752608b0414a8fd0e449c694 telnet-server-0.17-31.EL4.2.ppc.rpm

s390:
8336b046ae91cc296a949ce840858489 telnet-0.17-31.EL4.2.s390.rpm
62fa5b57339984f7903c8c6828cf3907 telnet-server-0.17-31.EL4.2.s390.rpm

s390x:
a9687c4c60aa7ce447b322ad15e491e1 telnet-0.17-31.EL4.2.s390x.rpm
624150f3b2bb179af14f89333549baf8 telnet-server-0.17-31.EL4.2.s390x.rpm

x86_64:
ba9038dbfdedbf0d064c6b2be18f10e4 telnet-0.17-31.EL4.2.x86_64.rpm
42fc60c48cacc2d40798fc33681bfcd2 telnet-server-0.17-31.EL4.2.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/telnet-0.17-31.EL4.2.src.rpm
a3faf4a95d925197b7ec88861a272f68 telnet-0.17-31.EL4.2.src.rpm

i386:
c03d8fbd5c1a1dfd334263e034626bef telnet-0.17-31.EL4.2.i386.rpm
095477b3fd6797a4dcb71eaa6fe40fb9 telnet-server-0.17-31.EL4.2.i386.rpm

x86_64:
ba9038dbfdedbf0d064c6b2be18f10e4 telnet-0.17-31.EL4.2.x86_64.rpm
42fc60c48cacc2d40798fc33681bfcd2 telnet-server-0.17-31.EL4.2.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/telnet-0.17-31.EL4.2.src.rpm
a3faf4a95d925197b7ec88861a272f68 telnet-0.17-31.EL4.2.src.rpm

i386:
c03d8fbd5c1a1dfd334263e034626bef telnet-0.17-31.EL4.2.i386.rpm
095477b3fd6797a4dcb71eaa6fe40fb9 telnet-server-0.17-31.EL4.2.i386.rpm

ia64:
c1eaa58f26e47c3c8370ff2189b78b81 telnet-0.17-31.EL4.2.ia64.rpm
3e47cc360ea07b28c16da6fdfb88c39e telnet-server-0.17-31.EL4.2.ia64.rpm

x86_64:
ba9038dbfdedbf0d064c6b2be18f10e4 telnet-0.17-31.EL4.2.x86_64.rpm
42fc60c48cacc2d40798fc33681bfcd2 telnet-server-0.17-31.EL4.2.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/telnet-0.17-31.EL4.2.src.rpm
a3faf4a95d925197b7ec88861a272f68 telnet-0.17-31.EL4.2.src.rpm

i386:
c03d8fbd5c1a1dfd334263e034626bef telnet-0.17-31.EL4.2.i386.rpm
095477b3fd6797a4dcb71eaa6fe40fb9 telnet-server-0.17-31.EL4.2.i386.rpm

ia64:
c1eaa58f26e47c3c8370ff2189b78b81 telnet-0.17-31.EL4.2.ia64.rpm
3e47cc360ea07b28c16da6fdfb88c39e telnet-server-0.17-31.EL4.2.ia64.rpm

x86_64:
ba9038dbfdedbf0d064c6b2be18f10e4 telnet-0.17-31.EL4.2.x86_64.rpm
42fc60c48cacc2d40798fc33681bfcd2 telnet-server-0.17-31.EL4.2.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package

7. References:

http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.