This version of talkd, borrowed from the FreeBSD 2.2 sources,
ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-current/src/libexec/talkd/
plugs that hole.
The quad-fat binary is here, along with the source code.
If you want to compile it yourself, you FIRST need to get the patched Syslog() from
http://golem.ph.utexas.edu/~distler/progs/newlog-1.0.4.tar.gz
(which includes a quad-fat library) or from
ftp://ftp.cs.columbia.edu/pub/sos/lib/
which is where this package originated.
Compiling this package yields a library, libnewlog.a, containing a version of syslog(3) which is immune to the infamous buffer-overflow bug (CERT Advisory CA-95.13), as well as a bunch of other BSD4.4ish goodies which are necessary to compile this version of talkd.
Install the library in /usr/local/lib:
% cp libnewlog.a /usr/local/lib
% chmod 644 /usr/local/lib/libnewlog.a
% ranlib /usr/local/lib/libnewlog.a
Now you are ready to compile talkd. Simply type "make".
When installing it, note that you need to replace BOTH /usr/etc/talkd and /usr/etc/ntalkd with the talkd binary that you produce. (If you don't want to overwrite them, you can simply change their permissions to 600, and edit /etc/inetd.conf to point to the location of the new binary. Be sure to kill -HUP the inetd daemon to get it to reread its configuration file.)
Even if you do install the replacement talkd daemon, do consider installing BIND 8 and running a caching-only nameserver. This will protect your other programs from rogue data returned by gethostbyname() and gethostbyaddress(). Setting up a caching-only nameserver is easy; details can be found at the BIND web site.
That's it. Enjoy. . .