[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1018744: bullseye-pu: package inetutils/2:2.0-1+deb11u1

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: team@security.debian.org

Hi!

[ Reason ]

A recent vulnerability (DoS) was reported upstream, for which I
uploaded a fixed package to sid (will migrate tomorrow). There was a
(minor) pending security update missing from bullseye. The security
team (CCed) would prefer to see these handled as normal stable updates.

[ Impact ]

These are both security issues. One against malicious ftp servers
which can end up controlling the client to connect to other hosts,
the other a DoS on the telnetd server which makes it crash with
specific two-byte payloads.

[ Tests ]

For the ftp client, there's a test recipe at
<https://lists.gnu.org/archive/html/bug-inetutils/2021-06/msg00002.html>.

For the telnetd server there's a test recipe at
<https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00003.html>
which amounts to «printf "\xff\xf7" | nc -n -v localhost 23».

Both test recipes could be reproduced before, and do not work after
the patched version.

[ Risks ]

The fix for the ftp client has been in sid since 2021-09 with no
reported regressions.

The fix for telnetd has not yet migrated to testing, but is few lines
long fixing a couple of NULL pointer dereferences.

[ Checklist ]

  [√] *all* changes are documented in the d/changelog
  [√] I reviewed all changes and I approve them
  [√] attach debdiff against the package in (old)stable
  [√] the issue is verified as fixed in unstable

[ Changes ]

  * Fix inetutils-ftp security bug trusting FTP PASV responses.
    Fixes CVE-2021-40491. Closes: #993476
  * Fix remote DoS vulnerability in inetutils-telnetd, caused by a crash by
    a NULL pointer dereference when sending the byte sequences «0xff 0xf7»
    or «0xff 0xf8». Found by Pierre Kim and Alexandre Torres. Patch
    adapted by Erik Auerswald <auerswal@unix-ag.uni-kl.de>.

[ Other info ]

None.

Thanks.
Guillem

diff -Nru inetutils-2.0/debian/changelog inetutils-2.0/debian/changelog
--- inetutils-2.0/debian/changelog	2021-02-05 23:14:20.000000000 +0100
+++ inetutils-2.0/debian/changelog	2022-08-28 16:01:41.000000000 +0200
@@ -1,3 +1,14 @@
+inetutils (2:2.0-1+deb11u1) bullseye; urgency=medium
+
+  * Fix inetutils-ftp security bug trusting FTP PASV responses.
+    Fixes CVE-2021-40491. Closes: #993476
+  * Fix remote DoS vulnerability in inetutils-telnetd, caused by a crash by
+    a NULL pointer dereference when sending the byte sequences «0xff 0xf7»
+    or «0xff 0xf8». Found by Pierre Kim and Alexandre Torres. Patch
+    adapted by Erik Auerswald <auerswal@unix-ag.uni-kl.de>.
+
+ -- Guillem Jover <guillem@debian.org>  Sun, 28 Aug 2022 16:01:41 +0200
+
 inetutils (2:2.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch
--- inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch	1970-01-01 01:00:00.000000000 +0100
+++ inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch	2022-08-28 16:01:41.000000000 +0200
@@ -0,0 +1,59 @@
+From 58cb043b190fd04effdaea7c9403416b436e50dd Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon@josefsson.org>
+Date: Wed, 1 Sep 2021 09:09:50 +0200
+Subject: [PATCH] ftp: check that PASV/LSPV addresses match.
+
+* ftp/ftp.c (initconn): Validate returned addresses.
+---
+ ftp/ftp.c | 21 +++++++++++++++++++++
+ 2 files changed, 30 insertions(+)
+
+diff --git a/ftp/ftp.c b/ftp/ftp.c
+index d21dbdd8..7513539d 100644
+--- a/ftp/ftp.c
++++ b/ftp/ftp.c
+@@ -1365,6 +1365,13 @@ initconn (void)
+ 		  uint32_t *pu32 = (uint32_t *) &data_addr_sa4->sin_addr.s_addr;
+ 		  pu32[0] = htonl ( (h[0] << 24) | (h[1] << 16) | (h[2] << 8) | h[3]);
+ 		}
++		if (data_addr_sa4->sin_addr.s_addr
++		    != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
++		  {
++		    printf ("Passive mode address mismatch.\n");
++		    (void) command ("ABOR");	/* Cancel any open connection.  */
++		    goto bad;
++		  }
+ 	    } /* LPSV IPv4 */
+ 	  else /* IPv6 */
+ 	    {
+@@ -1395,6 +1402,13 @@ initconn (void)
+ 		  pu32[2] = htonl ( (h[8] << 24) | (h[9] << 16) | (h[10] << 8) | h[11]);
+ 		  pu32[3] = htonl ( (h[12] << 24) | (h[13] << 16) | (h[14] << 8) | h[15]);
+ 		}
++		if (data_addr_sa6->sin6_addr.s6_addr
++		    != ((struct sockaddr_in6 *) &hisctladdr)->sin6_addr.s6_addr)
++		  {
++		    printf ("Passive mode address mismatch.\n");
++		    (void) command ("ABOR");	/* Cancel any open connection.  */
++		    goto bad;
++		  }
+ 	    } /* LPSV IPv6 */
+ 	}
+       else /* !EPSV && !LPSV */
+@@ -1415,6 +1429,13 @@ initconn (void)
+ 			 | ((a2 & 0xff) << 8) | (a3 & 0xff) );
+ 	      data_addr_sa4->sin_port =
+ 		  htons (((p0 & 0xff) << 8) | (p1 & 0xff));
++	      if (data_addr_sa4->sin_addr.s_addr
++		  != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
++		{
++		  printf ("Passive mode address mismatch.\n");
++		  (void) command ("ABOR");	/* Cancel any open connection.  */
++		  goto bad;
++		}
+ 	    } /* PASV */
+ 	  else
+ 	    {
+-- 
+2.37.2
+
diff -Nru inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch
--- inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch	1970-01-01 01:00:00.000000000 +0100
+++ inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch	2022-08-28 16:01:41.000000000 +0200
@@ -0,0 +1,45 @@
+Description: Fix remote DoS vulnerability in inetutils-telnetd
+ This is caused by a crash by a NULL pointer dereference when sending the
+ byte sequences «0xff 0xf7» or «0xff 0xf8».
+Authors:
+ Pierre Kim (original patch),
+ Alexandre Torres (original patch),
+ Erik Auerswald <auerswal@unix-ag.uni-kl.de> (adapted patch),
+Reviewed-by: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
+Origin: upstream
+Ref: https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
+Forwarded: https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html
+Last-Update: 2022-08-28
+
+
+---
+ telnetd/state.c |   12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/telnetd/state.c
++++ b/telnetd/state.c
+@@ -315,15 +315,21 @@ telrcv (void)
+ 	    case EC:
+ 	    case EL:
+ 	      {
+-		cc_t ch;
++		cc_t ch = (cc_t) (_POSIX_VDISABLE);
+ 
+ 		DEBUG (debug_options, 1, printoption ("td: recv IAC", c));
+ 		ptyflush ();	/* half-hearted */
+ 		init_termbuf ();
+ 		if (c == EC)
+-		  ch = *slctab[SLC_EC].sptr;
++		  {
++		    if (slctab[SLC_EC].sptr)
++		      ch = *slctab[SLC_EC].sptr;
++		  }
+ 		else
+-		  ch = *slctab[SLC_EL].sptr;
++		  {
++		    if (slctab[SLC_EL].sptr)
++		      ch = *slctab[SLC_EL].sptr;
++		  }
+ 		if (ch != (cc_t) (_POSIX_VDISABLE))
+ 		  pty_output_byte ((unsigned char) ch);
+ 		break;
diff -Nru inetutils-2.0/debian/patches/series inetutils-2.0/debian/patches/series
--- inetutils-2.0/debian/patches/series	2021-01-30 01:26:45.000000000 +0100
+++ inetutils-2.0/debian/patches/series	2022-08-28 16:00:38.000000000 +0200
@@ -1,3 +1,6 @@
 # Local patches
 0001-inetd-Change-protocol-semantics-in-inetd.conf.patch
 0002-build-Disable-GFDL-info-files-and-useless-man-pages.patch
+# Upstream patches
+0001-ftp-check-that-PASV-LSPV-addresses-match.patch
+inetutils-telnetd-EC_EL_null_deref.patch
Reply to: