• info
• discussion
• exploit
• solution
• references

Multiple Vendor Termcap tgetent() Buffer Overflow

Solution:
Redhat has released the following RPM's to address this problem:

Red Hat Linux 4.2:

Intel:
ftp://ftp.redhat.com/redhat/updates/4.2/i386/libtermcap-2.0.8-14.4.2.i386.rpm
ftp://ftp.redhat.com/redhat/updates/4.2/i386/libtermcap-devel-2.0.8-14.4.2.i386.rpm

Alpha:
ftp://ftp.redhat.com/redhat/updates/4.2/alpha/libtermcap-2.0.8-14.4.2.alpha.rpm
ftp://ftp.redhat.com/redhat/updates/4.2/alpha/libtermcap-devel-2.0.8-14.4.2.alpha.rpm

Sparc:
ftp://ftp.redhat.com/redhat/updates/4.2/sparc/libtermcap-2.0.8-14.4.2.sparc.rpm
ftp://ftp.redhat.com/redhat/updates/4.2/sparc/libtermcap-devel-2.0.8-14.4.2.sparc.rpm

Source packages:
ftp://ftp.redhat.com/redhat/updates/4.2/SRPMS/libtermcap-2.0.8-14.4.2.src.rpm

Red Hat Linux 4.2:

Intel:
ftp://ftp.redhat.com/redhat/updates/4.2/i386/libtermcap-2.0.8-14.4.2.i386.rpm
ftp://ftp.redhat.com/redhat/updates/4.2/i386/libtermcap-devel-2.0.8-14.4.2.i386.rpm

Alpha:
ftp://ftp.redhat.com/redhat/updates/4.2/alpha/libtermcap-2.0.8-14.4.2.alpha.rpm
ftp://ftp.redhat.com/redhat/updates/4.2/alpha/libtermcap-devel-2.0.8-14.4.2.alpha.rpm

Sparc:
ftp://ftp.redhat.com/redhat/updates/4.2/sparc/libtermcap-2.0.8-14.4.2.sparc.rpm
ftp://ftp.redhat.com/redhat/updates/4.2/sparc/libtermcap-devel-2.0.8-14.4.2.sparc.rpm

Source packages:
ftp://ftp.redhat.com/redhat/updates/4.2/SRPMS/libtermcap-2.0.8-14.4.2.src.rpm

Red Hat Linux 5.2:

Intel:
ftp://ftp.redhat.com/redhat/updates/5.2/i386/libtermcap-2.0.8-14.5.2.i386.rpm
ftp://ftp.redhat.com/redhat/updates/5.2/i386/libtermcap-devel-2.0.8-14.5.2.i386.rpm

Alpha:
ftp://ftp.redhat.com/redhat/updates/5.2/alpha/libtermcap-2.0.8-14.5.2.alpha.rpm
ftp://ftp.redhat.com/redhat/updates/5.2/alpha/libtermcap-devel-2.0.8-14.5.2.alpha.rpm

Sparc:
ftp://ftp.redhat.com/redhat/updates/5.2/sparc/libtermcap-2.0.8-14.5.2.sparc.rpm
ftp://ftp.redhat.com/redhat/updates/5.2/sparc/libtermcap-devel-2.0.8-14.5.2.sparc.rpm

Source packages:
ftp://ftp.redhat.com/redhat/updates/5.2/SRPMS/libtermcap-2.0.8-14.5.2.src.rpm

Red Hat Linux 6.0:

Intel:
ftp://ftp.redhat.com/redhat/updates/6.0/i386/libtermcap-2.0.8-15.i386.rpm
ftp://ftp.redhat.com/redhat/updates/6.0/i386/libtermcap-devel-2.0.8-15.i386.rpm

Alpha:
ftp://ftp.redhat.com/redhat/updates/6.0/alpha/libtermcap-2.0.8-15.alpha.rpm
ftp://ftp.redhat.com/redhat/updates/6.0/alpha/libtermcap-devel-2.0.8-15.alpha.rpm

Sparc:
ftp://ftp.redhat.com/redhat/updates/6.0/sparc/libtermcap-2.0.8-15.sparc.rpm
ftp://ftp.redhat.com/redhat/updates/6.0/sparc/libtermcap-devel-2.0.8-15.sparc.rpm

Source packages:
ftp://ftp.redhat.com/redhat/updates/6.0/SRPMS/libtermcap-2.0.8-15.src.rpm

For Slackware Linux updated packages have been uploaded to ftp://ftp.cdrom.com/pub/linux/slackware-4.0/. The following is the ChangeLog file entries:

Sat Aug 28 20:18:45 CDT 1999
These packages fix a buffer overflow problem in libtermcap that can be exploited to gain unauthorized root access. Below are fixed versions of the affected packages suitable for use on Slackware 4.0 systems:

slakware/a4/elflibs.tgz: Patched buffer overflow in libtermcap.
slakware/d1/libc.tgz: Patched buffer overflow in libtermcap.
slakware/x1/xbin.tgz: Recompiled /usr/X11R6/bin/xterm, which had been linked against a vulnerable libtermcap.a.

*** Alternate, minimal fix:

The directory below contains only the fixed versions of libtermcap and xterm. Installing these two packages is also a complete fix for the problem. In addition, these two upgrades are suitable for use on Slackware 3.5, 3.6, 3.9, or 4.0.

patches/termcap.tgz: Fixed libtermcap.
patches/xterm.tgz: Fixed xterm.