COMMAND

    telnet, in.telnetd

SYSTEMS AFFECTED

    Red Hat Linux 4.2, 5.2, 6.0, all architectures

PROBLEM

    in.telnetd  attempts  to  negotiate  a  compatible  terminal  type
    between  the  local  and  remote   host.   By  setting  the   TERM
    environment  variable  before  connecting,  a  remote  user  could
    cause the system telnetd to  open files it should not.   Depending
    on the  TERM setting  used, this  could lead  to denial of service
    attacks.   Thanks go  to Michal  Zalewski and  the Linux  Security
    Audit team for noting this vulnerability.

    Most of terminfo-based programs  will accept TERM variable  set to
    eg. '../../../tmp/x'.  All  we have to do  is to provide 'our  own
    termcap  file',  set  TERM,  then  execute  vunerable program with
    terminfo support.   In fact,  in.telnetd daemon  shipped eg.  with
    RH 6.0 /as well as  with many other recent distributions  based on
    terminfo  entries/,  is  vunerable...  And  TERM  variable  can be
    passed  using  telnet  ENVIRON  option during protocol negotiation
    before login procedure... Guess what?;) Almost remote root  (well,
    all you have to do locally is puting /tmp/x). [by Michal Zalewski]
    We  are  talking  about  terminfo  support  and tgetent() function
    implemented in libncurses, which  is buggy as well,  while ncurses
    allows '../' tricks.

SOLUTION

    Red Hat Linux 4.2:

        ftp://ftp.redhat.com/redhat/updates/4.2/i386/NetKit-B-0.09-11.i386.rpm
        ftp://ftp.redhat.com/redhat/updates/4.2/alpha/NetKit-B-0.09-11.alpha.rpm
        ftp://ftp.redhat.com/redhat/updates/4.2/sparc/NetKit-B-0.09-11.sparc.rpm
        ftp://ftp.redhat.com/redhat/updates/4.2/SRPMS/NetKit-B-0.09-11.src.rpm

    Red Hat Linux 5.2:

        ftp://ftp.redhat.com/redhat/updates/5.2/i386/telnet-0.10-28.5.2.i386.rpm
        ftp://ftp.redhat.com/redhat/updates/5.2/alpha/telnet-0.10-28.5.2.alpha.rpm
        ftp://ftp.redhat.com/redhat/updates/5.2/sparc/telnet-0.10-28.5.2.sparc.rpm
        ftp://ftp.redhat.com/redhat/updates/5.2/SRPMS/telnet-0.10-28.5.2.src.rpm

    Red Hat Linux 6.0:

        ftp://ftp.redhat.com/redhat/updates/6.0/i386/telnet-0.10-29.i386.rpm
        ftp://ftp.redhat.com/redhat/updates/6.0/alpha/telnet-0.10-29.alpha.rpm
        ftp://ftp.redhat.com/redhat/updates/6.0/sparc/telnet-0.10-29.sparc.rpm
        ftp://ftp.redhat.com/redhat/updates/6.0/SRPMS/telnet-0.10-29.src.rpm