Bug#970584: buster-pu: package inetutils/2:1.9.4-7+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: guillem@debian.org
Fix for CVE-2020-10188, which doesn' really warrant a DSA.
(The numbering in debian/patches/series is the following
what's in unstable, the same patch is present there since a few
months already)
Debdiff attached.
Cheers,
Moritz
diff -Nru inetutils-1.9.4/debian/changelog inetutils-1.9.4/debian/changelog
--- inetutils-1.9.4/debian/changelog 2019-02-16 18:09:37.000000000 +0100
+++ inetutils-1.9.4/debian/changelog 2020-09-18 20:06:42.000000000 +0200
@@ -1,3 +1,9 @@
+inetutils (2:1.9.4-7+deb10u1) buster; urgency=medium
+
+ * CVE-2020-10188 (Closes: #956084)
+
+ -- Moritz Mühlenhoff <jmm@debian.org> Fri, 18 Sep 2020 20:06:42 +0200
+
inetutils (2:1.9.4-7) unstable; urgency=medium
* Remove debian/tmp prefix from man pages paths in debhelper fragment files.
diff -Nru inetutils-1.9.4/debian/patches/0053-telnetd-Fix-arbitrary-remote-code-execution-via-shor.patch inetutils-1.9.4/debian/patches/0053-telnetd-Fix-arbitrary-remote-code-execution-via-shor.patch
--- inetutils-1.9.4/debian/patches/0053-telnetd-Fix-arbitrary-remote-code-execution-via-shor.patch 1970-01-01 01:00:00.000000000 +0100
+++ inetutils-1.9.4/debian/patches/0053-telnetd-Fix-arbitrary-remote-code-execution-via-shor.patch 2020-09-18 15:58:19.000000000 +0200
@@ -0,0 +1,130 @@
+From 99afdd5ecd787e40f06473304125eee93139031a Mon Sep 17 00:00:00 2001
+From: Michal Ruprich <michalruprich@gmail.com>
+Date: Sun, 12 Apr 2020 22:41:50 +0200
+Subject: [PATCH 53/60] telnetd: Fix arbitrary remote code execution via short
+ writes or urgent data
+
+Fixes: CVE-2020-10188
+Closes: #956084
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10188
+Patch-Origin: Fedora / RedHat
+Patch-URL: https://src.fedoraproject.org/rpms/telnet/raw/master/f/telnet-0.17-overflow-exploit.patch
+---
+ telnetd/telnetd.h | 2 +-
+ telnetd/utility.c | 35 ++++++++++++++++++++++-------------
+ 2 files changed, 23 insertions(+), 14 deletions(-)
+
+diff --git a/telnetd/telnetd.h b/telnetd/telnetd.h
+index 044025d2..fa970e24 100644
+--- a/telnetd/telnetd.h
++++ b/telnetd/telnetd.h
+@@ -271,7 +271,7 @@ void io_drain (void);
+
+ int stilloob (int s);
+ void ptyflush (void);
+-char *nextitem (char *current);
++char *nextitem (char *current, const char *endp);
+ void netclear (void);
+ void netflush (void);
+
+diff --git a/telnetd/utility.c b/telnetd/utility.c
+index db93c205..c9df8a79 100644
+--- a/telnetd/utility.c
++++ b/telnetd/utility.c
+@@ -484,10 +484,14 @@ stilloob (int s)
+ * character.
+ */
+ char *
+-nextitem (char *current)
++nextitem (char *current, const char *endp)
+ {
++ if (current >= endp)
++ return NULL;
+ if ((*current & 0xff) != IAC)
+ return current + 1;
++ if (current + 1 >= endp)
++ return NULL;
+
+ switch (*(current + 1) & 0xff)
+ {
+@@ -495,19 +499,20 @@ nextitem (char *current)
+ case DONT:
+ case WILL:
+ case WONT:
+- return current + 3;
++ return current + 3 <= endp ? current + 3 : NULL;
+
+ case SB: /* loop forever looking for the SE */
+ {
+ char *look = current + 2;
+
+- for (;;)
+- if ((*look++ & 0xff) == IAC && (*look++ & 0xff) == SE)
++ while (look < endp)
++ if ((*look++ & 0xff) == IAC && look < endp && (*look++ & 0xff) == SE)
+ return look;
+
+- default:
+- return current + 2;
++ return NULL;
+ }
++ default:
++ return current + 2 <= endp ? current + 2 : NULL;
+ }
+ } /* end of nextitem */
+
+@@ -529,8 +534,9 @@ nextitem (char *current)
+ * us in any case.
+ */
+ #define wewant(p) \
+- ((nfrontp > p) && ((*p&0xff) == IAC) && \
+- ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
++ ((nfrontp > p) && ((*p & 0xff) == IAC) && \
++ (nfrontp > p + 1 && (((*(p + 1) & 0xff) != EC) && \
++ ((*(p + 1)&0xff) != EL))))
+
+
+ void
+@@ -545,7 +551,7 @@ netclear (void)
+ thisitem = netobuf;
+ #endif /* ENCRYPTION */
+
+- while ((next = nextitem (thisitem)) <= nbackp)
++ while ((next = nextitem (thisitem, nbackp)) != NULL && next <= nbackp)
+ thisitem = next;
+
+ /* Now, thisitem is first before/at boundary. */
+@@ -556,15 +562,18 @@ netclear (void)
+ good = netobuf; /* where the good bytes go */
+ #endif /* ENCRYPTION */
+
+- while (nfrontp > thisitem)
++ while (thisitem != NULL && nfrontp > thisitem)
+ {
+ if (wewant (thisitem))
+ {
+ int length;
+
+- for (next = thisitem; wewant (next) && nfrontp > next;
+- next = nextitem (next))
++ for (next = thisitem;
++ next != NULL && wewant (next) && nfrontp > next;
++ next = nextitem (next, nfrontp))
+ ;
++ if (next == NULL)
++ next = nfrontp;
+
+ length = next - thisitem;
+ memmove (good, thisitem, length);
+@@ -573,7 +582,7 @@ netclear (void)
+ }
+ else
+ {
+- thisitem = nextitem (thisitem);
++ thisitem = nextitem (thisitem, nfrontp);
+ }
+ }
+
+--
+2.26.0.292.g33ef6b2f38
+
diff -Nru inetutils-1.9.4/debian/patches/series inetutils-1.9.4/debian/patches/series
--- inetutils-1.9.4/debian/patches/series 2019-02-16 17:21:30.000000000 +0100
+++ inetutils-1.9.4/debian/patches/series 2020-09-18 15:58:34.000000000 +0200
@@ -29,3 +29,4 @@
0036-ftpd-ftpd.c-options-max-timeout-Mention-mandatory-ar.patch
0037-src-hostname.c-set_name-Handle-case-when-hostname_ne.patch
0038-src-hostname.c-parse_file-Free-name-and-allocate-one.patch
+0053-telnetd-Fix-arbitrary-remote-code-execution-via-shor.patch
Reply to: