patch for SSLtelnet vulnerability (CAN-2004-0640)

David A. Holland dholland at
Sun Jul 18 14:27:15 PDT 2004

 > Apologies in advance for not being familiar with FreeBSD's patch/ports 
 > system. As far as I can tell, SSLtelnet, is depricated on FreeBSD. Even 
 > so, I would like to offer the following patch to fix the vulnerability 
 > described in CAN-2004-0640:
 > 00_CAN-2004-0640-1.patch
 > < patch >
 > --- telnetd/telnetd.c.orig      2004-07-13 02:58:01.000000000 -0400
 > +++ telnetd/telnetd.c   2004-07-13 03:27:23.000000000 -0400
 > @@ -520,7 +520,7 @@
 >                 sprintf(errbuf,"SSL_accept error %s\n",
 >                     ERR_error_string(ERR_get_error(),NULL));
 > -               syslog(LOG_WARNING, errbuf);
 > +               syslog(LOG_WARNING, "%.500s", errbuf);
 >                 BIO_printf(bio_err,errbuf);
 > < /patch >
 > Thanks.  I am CC'ing this patch to the netkit maintainer email
 > given in the package.  I have already given this information to the
 > Debian maintainer.  OpenBSD, NetBSD, & Redhat appear not to use
 > telnetd with SSL support.  They favor use of "openssl s_client
 > -connect host:port".


netkit-telnet's telnetd does not have this code. (SSL telnet is not
itself part of netkit, though it might be derived from the netkit

I'd be more worried about the sprintf call I see in the patch context;
that one looks like it's likely harmless, but if there's one there's
probably more.

The legacy telnetd source all these things are derived from is evil
and fundamentally insecure; I'd encourage anyone interested in having
an SSL-enabled telnetd to do the world a service and write new
telnetd code from scratch.

David A. Holland       dholland at
NetKit Maintenance     netbug at
(if in doubt, use the netkit-0.18 pre1 snap, not 0.17; I haven't had
time to do a new snap, much less a release, and won't for a while)

More information about the freebsd-ports mailing list