krb5/krb5-1.6-CVE-2007-0956-prelim.patch

FIXES
=====

* a future release of MIT krb5 will contain a fix for this
  vulnerability

prior to that release you may:

* disable telnetd

or

* apply the following (preliminary) patch:

*** src/appl/telnet/telnetd/state.c     (revision 19480)
--- src/appl/telnet/telnetd/state.c     (local)
***************
*** 1665,1671 ****
  	    strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
  	    strcmp(varp, "NLSPATH") && /* locale stuff */
  	    strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
! 	    strcmp(varp, "IFS")) {
  		return 1;
  	} else {
  		syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
--- 1665,1672 ----
  	    strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
  	    strcmp(varp, "NLSPATH") && /* locale stuff */
  	    strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
! 	    strcmp(varp, "IFS") &&
! 	    !strchr(varp, '-')) {
  		return 1;
  	} else {
  		syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
*** src/appl/telnet/telnetd/sys_term.c  (revision 19480)
--- src/appl/telnet/telnetd/sys_term.c  (local)
***************
*** 1287,1292 ****
--- 1287,1302 ----
  #endif
  #if	defined (AUTHENTICATION)
  	if (auth_level >= 0 && autologin == AUTH_VALID) {
+ 		if (name[0] == '-') {
+ 		    /* Authenticated and authorized to log in to an
+ 		       account starting with '-'?  Even if that
+ 		       unlikely case comes to pass, the current login
+ 		       program will not parse the resulting command
+ 		       line properly.  */
+ 		    syslog(LOG_ERR, "user name cannot start with '-'");
+ 		    fatal(net, "user name cannot start with '-'");
+ 		    exit(1);
+ 		}
  # if	!defined(NO_LOGIN_F)
  #if	defined(LOGIN_CAP_F)
  		argv = addarg(argv, "-F");
***************
*** 1377,1387 ****
  	} else
  #endif
  	if (getenv("USER")) {
! 		argv = addarg(argv, getenv("USER"));
  #if	defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
  		{
  			register char **cpp;
  			for (cpp = environ; *cpp; cpp++)
  				argv = addarg(argv, *cpp);
  		}
  #endif
--- 1387,1405 ----
  	} else
  #endif
  	if (getenv("USER")) {
! 		char *user = getenv("USER");
! 		if (user[0] == '-') {
! 			/* "telnet -l-x ..." */
! 			syslog(LOG_ERR, "user name cannot start with '-'");
! 			fatal(net, "user name cannot start with '-'");
! 			exit(1);
! 		}
! 		argv = addarg(argv, user);
  #if	defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
  		{
  			register char **cpp;
  			for (cpp = environ; *cpp; cpp++)
+ 			    if ((*cpp)[0] != '-')
  				argv = addarg(argv, *cpp);
  		}
  #endif