Bug#1018744: bullseye-pu: package inetutils/2:2.0-1+deb11u1
Hi!
Sorry, I'm updating the request as I found missing stuff while
preparing the companion update for buster!
On Tue, 2022-08-30 at 00:37:03 +0200, Guillem Jover wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: team@security.debian.org
> [ Reason ]
>
> A recent vulnerability (DoS) was reported upstream, for which I
> uploaded a fixed package to sid (will migrate tomorrow). There was a
> (minor) pending security update missing from bullseye. The security
> team (CCed) would prefer to see these handled as normal stable updates.
I'm adding a couple of patches to solve lingering buffer overflow issues
from #945861 and CVE-2019-0053.
> [ Impact ]
>
> These are both security issues. One against malicious ftp servers
> which can end up controlling the client to connect to other hosts,
> the other a DoS on the telnetd server which makes it crash with
> specific two-byte payloads.
The additional patches are buffer overflows.
> [ Tests ]
>
> For the ftp client, there's a test recipe at
> <https://lists.gnu.org/archive/html/bug-inetutils/2021-06/msg00002.html>.
>
> For the telnetd server there's a test recipe at
> <https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00003.html>
> which amounts to «printf "\xff\xf7" | nc -n -v localhost 23».
The two new patches fix the following reproducers:
$ DISPLAY=`perl -e 'print Ax"50000"'` telnet -l`perl -e 'print "A"x5000'` localhost
and
https://raw.githubusercontent.com/hackerhouse-opensource/exploits/master/telnet_term_0day.py
> Both test recipes could be reproduced before, and do not work after
> the patched version.
> [ Risks ]
>
> The fix for the ftp client has been in sid since 2021-09 with no
> reported regressions.
>
> The fix for telnetd has not yet migrated to testing, but is few lines
> long fixing a couple of NULL pointer dereferences.
Both new fixes have been part of sid/testing for a while now.
> [ Checklist ]
>
> [√] *all* changes are documented in the d/changelog
> [√] I reviewed all changes and I approve them
> [√] attach debdiff against the package in (old)stable
> [√] the issue is verified as fixed in unstable
>
> [ Changes ]
* telnet: Add checks for option reply parsing limits causing buffer
overflow induced crashes due to long option values.
Fixes CVE-2019-0053. Closes: #945861
* Add patch from upstream to fix infinite loop causing a stack exhaustion
induced crash in telnet client due to malicious server commands.
Closes: #945861
> * Fix inetutils-ftp security bug trusting FTP PASV responses.
> Fixes CVE-2021-40491. Closes: #993476
> * Fix remote DoS vulnerability in inetutils-telnetd, caused by a crash by
> a NULL pointer dereference when sending the byte sequences «0xff 0xf7»
> or «0xff 0xf8». Found by Pierre Kim and Alexandre Torres. Patch
> adapted by Erik Auerswald <auerswal@unix-ag.uni-kl.de>.
> [ Other info ]
>
> None.
I'm attaching the refreshed debdiff.
Thanks,
Guillem
diff -Nru inetutils-2.0/debian/changelog inetutils-2.0/debian/changelog
--- inetutils-2.0/debian/changelog 2021-02-05 23:14:20.000000000 +0100
+++ inetutils-2.0/debian/changelog 2022-08-30 13:34:41.000000000 +0200
@@ -1,3 +1,21 @@
+inetutils (2:2.0-1+deb11u1) bullseye; urgency=medium
+
+ * telnet: Add checks for option reply parsing limits causing buffer
+ overflow induced crashes due to long option values.
+ Fixes CVE-2019-0053. Closes: #945861
+ * Add patch from upstream to fix infinite loop causing a stack exhaustion
+ induced crash in telnet client due to malicious server commands.
+ Closes: #945861
+ * Fix inetutils-ftp security bug trusting FTP PASV responses.
+ Fixes CVE-2021-40491. Closes: #993476
+ * Fix remote DoS vulnerability in inetutils-telnetd, caused by a crash by
+ a NULL pointer dereference when sending the byte sequences «0xff 0xf7»
+ or «0xff 0xf8». Found by Pierre Kim and Alexandre Torres. Patch
+ adapted by Erik Auerswald <auerswal@unix-ag.uni-kl.de>.
+ Fixes CVE-2022-39028.
+
+ -- Guillem Jover <guillem@debian.org> Tue, 30 Aug 2022 13:34:41 +0200
+
inetutils (2:2.0-1) unstable; urgency=medium
* New upstream release.
diff -Nru inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch
--- inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch 1970-01-01 01:00:00.000000000 +0100
+++ inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch 2022-08-30 13:33:33.000000000 +0200
@@ -0,0 +1,59 @@
+From 58cb043b190fd04effdaea7c9403416b436e50dd Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon@josefsson.org>
+Date: Wed, 1 Sep 2021 09:09:50 +0200
+Subject: [PATCH] ftp: check that PASV/LSPV addresses match.
+
+* ftp/ftp.c (initconn): Validate returned addresses.
+---
+ ftp/ftp.c | 21 +++++++++++++++++++++
+ 2 files changed, 30 insertions(+)
+
+diff --git a/ftp/ftp.c b/ftp/ftp.c
+index d21dbdd8..7513539d 100644
+--- a/ftp/ftp.c
++++ b/ftp/ftp.c
+@@ -1365,6 +1365,13 @@ initconn (void)
+ uint32_t *pu32 = (uint32_t *) &data_addr_sa4->sin_addr.s_addr;
+ pu32[0] = htonl ( (h[0] << 24) | (h[1] << 16) | (h[2] << 8) | h[3]);
+ }
++ if (data_addr_sa4->sin_addr.s_addr
++ != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
++ {
++ printf ("Passive mode address mismatch.\n");
++ (void) command ("ABOR"); /* Cancel any open connection. */
++ goto bad;
++ }
+ } /* LPSV IPv4 */
+ else /* IPv6 */
+ {
+@@ -1395,6 +1402,13 @@ initconn (void)
+ pu32[2] = htonl ( (h[8] << 24) | (h[9] << 16) | (h[10] << 8) | h[11]);
+ pu32[3] = htonl ( (h[12] << 24) | (h[13] << 16) | (h[14] << 8) | h[15]);
+ }
++ if (data_addr_sa6->sin6_addr.s6_addr
++ != ((struct sockaddr_in6 *) &hisctladdr)->sin6_addr.s6_addr)
++ {
++ printf ("Passive mode address mismatch.\n");
++ (void) command ("ABOR"); /* Cancel any open connection. */
++ goto bad;
++ }
+ } /* LPSV IPv6 */
+ }
+ else /* !EPSV && !LPSV */
+@@ -1415,6 +1429,13 @@ initconn (void)
+ | ((a2 & 0xff) << 8) | (a3 & 0xff) );
+ data_addr_sa4->sin_port =
+ htons (((p0 & 0xff) << 8) | (p1 & 0xff));
++ if (data_addr_sa4->sin_addr.s_addr
++ != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
++ {
++ printf ("Passive mode address mismatch.\n");
++ (void) command ("ABOR"); /* Cancel any open connection. */
++ goto bad;
++ }
+ } /* PASV */
+ else
+ {
+--
+2.37.2
+
diff -Nru inetutils-2.0/debian/patches/0001-telnet-Add-checks-for-option-reply-parsing-limits.patch inetutils-2.0/debian/patches/0001-telnet-Add-checks-for-option-reply-parsing-limits.patch
--- inetutils-2.0/debian/patches/0001-telnet-Add-checks-for-option-reply-parsing-limits.patch 1970-01-01 01:00:00.000000000 +0100
+++ inetutils-2.0/debian/patches/0001-telnet-Add-checks-for-option-reply-parsing-limits.patch 2022-08-30 13:31:38.000000000 +0200
@@ -0,0 +1,54 @@
+From 24dcb23ceab395644051a3da37f1cbd00fe80c17 Mon Sep 17 00:00:00 2001
+From: Guillem Jover <guillem@hadrons.org>
+Date: Fri, 3 Sep 2021 03:58:13 +0200
+Subject: [PATCH] telnet: Add checks for option reply parsing limits
+
+This fixes buffer overflows caused by for example:
+
+ telnet -l`perl -e 'print "A"x5000'` localhost
+
+Taken from FreeBSD.
+---
+ telnet/telnet.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/telnet/telnet.c
++++ b/telnet/telnet.c
+@@ -1678,8 +1678,8 @@ env_opt (register unsigned char *buf, re
+ }
+ }
+
+-#define OPT_REPLY_SIZE 256
+-unsigned char *opt_reply;
++#define OPT_REPLY_SIZE (2 * SUBBUFSIZE)
++unsigned char *opt_reply = NULL;
+ unsigned char *opt_replyp;
+ unsigned char *opt_replyend;
+
+@@ -1762,6 +1762,8 @@ env_opt_add (register unsigned char *ep)
+ {
+ while ((c = *ep++))
+ {
++ if (opt_replyp + (2 + 2) > opt_replyend)
++ return;
+ switch (c & 0xff)
+ {
+ case IAC:
+@@ -1778,6 +1780,8 @@ env_opt_add (register unsigned char *ep)
+ }
+ if ((ep = vp))
+ {
++ if (opt_replyp + (1 + 2 + 2) > opt_replyend)
++ return;
+ #ifdef OLD_ENVIRON
+ if (telopt_environ == TELOPT_OLD_ENVIRON)
+ *opt_replyp++ = old_env_value;
+@@ -1808,6 +1812,8 @@ env_opt_end (register int emptyok)
+ {
+ register int len;
+
++ if (opt_replyp + 2 > opt_replyend)
++ return;
+ len = opt_replyp - opt_reply + 2;
+ if (emptyok || len > 6)
+ {
diff -Nru inetutils-2.0/debian/patches/0001-telnet-Don-t-infloop-for-malicious-server.patch inetutils-2.0/debian/patches/0001-telnet-Don-t-infloop-for-malicious-server.patch
--- inetutils-2.0/debian/patches/0001-telnet-Don-t-infloop-for-malicious-server.patch 1970-01-01 01:00:00.000000000 +0100
+++ inetutils-2.0/debian/patches/0001-telnet-Don-t-infloop-for-malicious-server.patch 2022-08-30 13:33:02.000000000 +0200
@@ -0,0 +1,25 @@
+From 3fcebb9b38b8b01e528d158656af863f98a3c751 Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon@josefsson.org>
+Date: Fri, 3 Sep 2021 15:59:45 +0200
+Subject: [PATCH] telnet: Don't infloop for malicious server.
+
+See https://bugs.debian.org/945861 and the tiny patch used by NetBSD:
+https://github.com/NetBSD/src/commit/36b8cfb2e28f691beae12da0c207086e1df0c8c4#diff-38b7213f9c6c21245fbeb4fad9520a27239d712a6dd0fea20dd6b77203b5737c
+
+* telnet/utilities.c (ExitString): Don't call SetForExit().
+
+diff --git a/telnet/utilities.c b/telnet/utilities.c
+index 85fd4762..08571cd4 100644
+--- a/telnet/utilities.c
++++ b/telnet/utilities.c
+@@ -1063,7 +1063,6 @@ Exit (int returnCode)
+ void
+ ExitString (char *string, int returnCode)
+ {
+- SetForExit ();
+ fwrite (string, 1, strlen (string), stderr);
+ exit (returnCode);
+ }
+--
+2.33.0
+
diff -Nru inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch
--- inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch 1970-01-01 01:00:00.000000000 +0100
+++ inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch 2022-08-30 13:34:10.000000000 +0200
@@ -0,0 +1,45 @@
+Description: Fix remote DoS vulnerability in inetutils-telnetd
+ This is caused by a crash by a NULL pointer dereference when sending the
+ byte sequences «0xff 0xf7» or «0xff 0xf8».
+Authors:
+ Pierre Kim (original patch),
+ Alexandre Torres (original patch),
+ Erik Auerswald <auerswal@unix-ag.uni-kl.de> (adapted patch),
+Reviewed-by: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
+Origin: upstream
+Ref: https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
+Forwarded: https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html
+Last-Update: 2022-08-28
+
+
+---
+ telnetd/state.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/telnetd/state.c
++++ b/telnetd/state.c
+@@ -315,15 +315,21 @@ telrcv (void)
+ case EC:
+ case EL:
+ {
+- cc_t ch;
++ cc_t ch = (cc_t) (_POSIX_VDISABLE);
+
+ DEBUG (debug_options, 1, printoption ("td: recv IAC", c));
+ ptyflush (); /* half-hearted */
+ init_termbuf ();
+ if (c == EC)
+- ch = *slctab[SLC_EC].sptr;
++ {
++ if (slctab[SLC_EC].sptr)
++ ch = *slctab[SLC_EC].sptr;
++ }
+ else
+- ch = *slctab[SLC_EL].sptr;
++ {
++ if (slctab[SLC_EL].sptr)
++ ch = *slctab[SLC_EL].sptr;
++ }
+ if (ch != (cc_t) (_POSIX_VDISABLE))
+ pty_output_byte ((unsigned char) ch);
+ break;
diff -Nru inetutils-2.0/debian/patches/series inetutils-2.0/debian/patches/series
--- inetutils-2.0/debian/patches/series 2021-01-30 01:26:45.000000000 +0100
+++ inetutils-2.0/debian/patches/series 2022-08-30 13:34:10.000000000 +0200
@@ -1,3 +1,8 @@
# Local patches
0001-inetd-Change-protocol-semantics-in-inetd.conf.patch
0002-build-Disable-GFDL-info-files-and-useless-man-pages.patch
+0001-telnet-Add-checks-for-option-reply-parsing-limits.patch
+# Upstream git
+0001-telnet-Don-t-infloop-for-malicious-server.patch
+0001-ftp-check-that-PASV-LSPV-addresses-match.patch
+inetutils-telnetd-EC_EL_null_deref.patch
Reply to: