-----BEGIN PGP SIGNED MESSAGE-----

Subject: Caldera Security Advisory SA-1998.21: Security problems in
ntalkd

Topic: Secruity problems in ntalkd
Advisory issue date: 24-July-1998


I. Problem Description

	The code in talkd makes some bad assumptions:

	It replies to an address/port specified in the user's packet,
	not to the address/port it received the packet from [can be
	used for smurf-style attacks]

	It receives several string arguments, but never checks them
	(e.g. to make sure they're null-terminated) [it might be
	possible to crash talkd this way]

	It fopens a file /dev/ + the r_tty name provided by the user.
	It does check the provided r_tty against utmp, but I guess
	double checking never hurts.

	It does not properly protect the user from Control characters
	being sent from the remote end.

II. Impact

Description:

	The assumptions listed above could allow smurf-style attacks 
	or talkd to be crashed.

Vulnerable Systems:

	OpenLinux 1.0, 1.1, & 1.2 systems using netkit-talk packages
	prior to  netkit-ntalk-0.10-3.

III. Solution

Correction:

	The proper solution is to Upgrade to the netkit-ntalk-0.10-3
	packages. 

	They can be found on Caldera's FTP site at:
	ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/010/RPMS

	The corresponding source code can be found at:
	ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/010/SRPMS

	The MD5 checksums (from the "md5sum" command) for these
	packages are:

	0dc034e0e23f9b604e441652d233f6d1  RPMS/netkit-ntalk-0.10-3.i386.rpm
	a6f8fcfa3ee878916af271db9e244a37  SRPMS/netkit-ntalk-0.10-3.src.rpm

        Upgrade with the following commands:

	rpm -q netkit-ntalk && rpm -U netkit-ntalk-0.10-3.i386.rpm


IV. References

        This and other Caldera security resources are located at:
	http://www.caldera.com/news/security/index.html

        Additional documentation on this problem can be found in

        This security fix closes Caldera's internal Problem Report
	4025.

V. PGP Signature

	This message was signed with the PGP key for security@caldera.com.

	This key can be obtained from:
		ftp://ftp.caldera.com/pub/pgp-keys/

	Or on an OpenLinux CDROM under:
		/OpenLinux/pgp-keys/

	$Id: SA-1998.21.txt,v 1.3 1998/07/24 13:03:28 rf Exp $


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNbiGIOn+9R4958LpAQGatgP8DiRKfrjtdT9juhbVzSYJBFrfW8k9DI6B
Qj+Bshe5xWBCaYqgFoGklC0kidoAghor085ELcE6U+A+eC8u061SxqxikbzWrd0M
5yJaT76rnFA1+WQPwRlRmO9pcAH0vc0Q2ntOe5N759RxMWOuW1hLxV8PYV36vkqH
gTqY3lJgT9M=
=FNQZ
-----END PGP SIGNATURE-----