Menu
▾
▴
[Italk-devel] Security Advisory: Yaegashi/Takeshi/Zephyr6
|
From: <ta...@st...> - 2000-05-17 16:30:37
|
Topic: Yaegashi(server) contains a buffer overflow in DNS resolution Category: tools Module: Yaegashi/Takeshi/Zephyr6 Announced: 2000-05-18 Affects: all versions before 1.01 including relay-0.xx Corrected: 2000-05-18 I. Background Yaegashi/Takeshi/Zephyr6 is a program package contains 3 commands. Yaegashi(server) is one of them and helps to create a simple server by executing a user process that inputs from stdin and outputs to stdout. II. Problem Description Yaegashi accepts a connection from another host, perform DNS reverse lookup, set a host name of the peer to an environment variable and spawn child process. A temporary buffer for the host name Yaegashi allocates is too short, which causes a buffer overflow. III. Impact Remote users who can connect to the Yaegashi port can potentially execute arbitrary code on your system. IV. Workaround Remove the Yaegashi, if you have installed it. V. Solution Upgrade your Yaegashi to 1.02 or later. It can be obtained from: http://download.sourceforge.net/italk/yaegashi-takeshi-1.02.tar.gz http://www.st.rim.or.jp/~tak/file/yaegashi-takeshi-1.02.tar.gz -- NAKAMURA Takayuki ta...@st... (^^; |
