[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#970584: marked as done (buster-pu: package inetutils/2:1.9.4-7+deb10u1)

Your message dated Sat, 26 Sep 2020 11:36:30 +0100
with message-id <d50ba4de424290cd2840a09ef19950156fcf51ab.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.6 point release
has caused the Debian Bug report #970584,
regarding buster-pu: package inetutils/2:1.9.4-7+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
970584: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970584
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: guillem@debian.org

Fix for CVE-2020-10188, which doesn' really warrant a DSA.

(The numbering in debian/patches/series is the following
what's in unstable, the same patch is present there since a few
months already)

Debdiff attached.

Cheers,
        Moritz

diff -Nru inetutils-1.9.4/debian/changelog inetutils-1.9.4/debian/changelog
--- inetutils-1.9.4/debian/changelog	2019-02-16 18:09:37.000000000 +0100
+++ inetutils-1.9.4/debian/changelog	2020-09-18 20:06:42.000000000 +0200
@@ -1,3 +1,9 @@
+inetutils (2:1.9.4-7+deb10u1) buster; urgency=medium
+
+  * CVE-2020-10188 (Closes: #956084)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Fri, 18 Sep 2020 20:06:42 +0200
+
 inetutils (2:1.9.4-7) unstable; urgency=medium
 
   * Remove debian/tmp prefix from man pages paths in debhelper fragment files.
diff -Nru inetutils-1.9.4/debian/patches/0053-telnetd-Fix-arbitrary-remote-code-execution-via-shor.patch inetutils-1.9.4/debian/patches/0053-telnetd-Fix-arbitrary-remote-code-execution-via-shor.patch
--- inetutils-1.9.4/debian/patches/0053-telnetd-Fix-arbitrary-remote-code-execution-via-shor.patch	1970-01-01 01:00:00.000000000 +0100
+++ inetutils-1.9.4/debian/patches/0053-telnetd-Fix-arbitrary-remote-code-execution-via-shor.patch	2020-09-18 15:58:19.000000000 +0200
@@ -0,0 +1,130 @@
+From 99afdd5ecd787e40f06473304125eee93139031a Mon Sep 17 00:00:00 2001
+From: Michal Ruprich <michalruprich@gmail.com>
+Date: Sun, 12 Apr 2020 22:41:50 +0200
+Subject: [PATCH 53/60] telnetd: Fix arbitrary remote code execution via short
+ writes or urgent data
+
+Fixes: CVE-2020-10188
+Closes: #956084
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10188
+Patch-Origin: Fedora / RedHat
+Patch-URL: https://src.fedoraproject.org/rpms/telnet/raw/master/f/telnet-0.17-overflow-exploit.patch
+---
+ telnetd/telnetd.h |  2 +-
+ telnetd/utility.c | 35 ++++++++++++++++++++++-------------
+ 2 files changed, 23 insertions(+), 14 deletions(-)
+
+diff --git a/telnetd/telnetd.h b/telnetd/telnetd.h
+index 044025d2..fa970e24 100644
+--- a/telnetd/telnetd.h
++++ b/telnetd/telnetd.h
+@@ -271,7 +271,7 @@ void io_drain (void);
+ 
+ int stilloob (int s);
+ void ptyflush (void);
+-char *nextitem (char *current);
++char *nextitem (char *current, const char *endp);
+ void netclear (void);
+ void netflush (void);
+ 
+diff --git a/telnetd/utility.c b/telnetd/utility.c
+index db93c205..c9df8a79 100644
+--- a/telnetd/utility.c
++++ b/telnetd/utility.c
+@@ -484,10 +484,14 @@ stilloob (int s)
+  * character.
+  */
+ char *
+-nextitem (char *current)
++nextitem (char *current, const char *endp)
+ {
++  if (current >= endp)
++    return NULL;
+   if ((*current & 0xff) != IAC)
+     return current + 1;
++  if (current + 1 >= endp)
++    return NULL;
+ 
+   switch (*(current + 1) & 0xff)
+     {
+@@ -495,19 +499,20 @@ nextitem (char *current)
+     case DONT:
+     case WILL:
+     case WONT:
+-      return current + 3;
++      return current + 3 <= endp ? current + 3 : NULL;
+ 
+     case SB:			/* loop forever looking for the SE */
+       {
+ 	char *look = current + 2;
+ 
+-	for (;;)
+-	  if ((*look++ & 0xff) == IAC && (*look++ & 0xff) == SE)
++	while (look < endp)
++	  if ((*look++ & 0xff) == IAC && look < endp && (*look++ & 0xff) == SE)
+ 	    return look;
+ 
+-      default:
+-	return current + 2;
++	return NULL;
+       }
++    default:
++      return current + 2 <= endp ? current + 2 : NULL;
+     }
+ }				/* end of nextitem */
+ 
+@@ -529,8 +534,9 @@ nextitem (char *current)
+  * us in any case.
+  */
+ #define wewant(p)					\
+-  ((nfrontp > p) && ((*p&0xff) == IAC) &&		\
+-   ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
++  ((nfrontp > p) && ((*p & 0xff) == IAC) &&		\
++   (nfrontp > p + 1 && (((*(p + 1) & 0xff) != EC) &&	\
++                        ((*(p + 1)&0xff) != EL))))
+ 
+ 
+ void
+@@ -545,7 +551,7 @@ netclear (void)
+   thisitem = netobuf;
+ #endif /* ENCRYPTION */
+ 
+-  while ((next = nextitem (thisitem)) <= nbackp)
++  while ((next = nextitem (thisitem, nbackp)) != NULL && next <= nbackp)
+     thisitem = next;
+ 
+   /* Now, thisitem is first before/at boundary. */
+@@ -556,15 +562,18 @@ netclear (void)
+   good = netobuf;		/* where the good bytes go */
+ #endif /* ENCRYPTION */
+ 
+-  while (nfrontp > thisitem)
++  while (thisitem != NULL && nfrontp > thisitem)
+     {
+       if (wewant (thisitem))
+ 	{
+ 	  int length;
+ 
+-	  for (next = thisitem; wewant (next) && nfrontp > next;
+-	       next = nextitem (next))
++	  for (next = thisitem;
++	       next != NULL && wewant (next) && nfrontp > next;
++	       next = nextitem (next, nfrontp))
+ 	    ;
++	  if (next == NULL)
++	    next = nfrontp;
+ 
+ 	  length = next - thisitem;
+ 	  memmove (good, thisitem, length);
+@@ -573,7 +582,7 @@ netclear (void)
+ 	}
+       else
+ 	{
+-	  thisitem = nextitem (thisitem);
++	  thisitem = nextitem (thisitem, nfrontp);
+ 	}
+     }
+ 
+-- 
+2.26.0.292.g33ef6b2f38
+
diff -Nru inetutils-1.9.4/debian/patches/series inetutils-1.9.4/debian/patches/series
--- inetutils-1.9.4/debian/patches/series	2019-02-16 17:21:30.000000000 +0100
+++ inetutils-1.9.4/debian/patches/series	2020-09-18 15:58:34.000000000 +0200
@@ -29,3 +29,4 @@
 0036-ftpd-ftpd.c-options-max-timeout-Mention-mandatory-ar.patch
 0037-src-hostname.c-set_name-Handle-case-when-hostname_ne.patch
 0038-src-hostname.c-parse_file-Free-name-and-allocate-one.patch
+0053-telnetd-Fix-arbitrary-remote-code-execution-via-shor.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.6

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: