[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU Inetutils branch, master, updated. v1.9.4.90-17-ga553210
|
From: |
Simon Josefsson |
|
Subject: |
[SCM] GNU Inetutils branch, master, updated. v1.9.4.90-17-ga553210 |
|
Date: |
Fri, 29 Jan 2021 03:34:46 -0500 (EST) |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Inetutils ".
The branch, master has been updated
via a5532103e3017b256765960e9333d2b7471a09ef (commit)
via cd7e7e685daeafb68f19347747af6340731a4518 (commit)
from a68717a4e573a4d406ce91cdd1de4d06abf95353 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=a5532103e3017b256765960e9333d2b7471a09ef
commit a5532103e3017b256765960e9333d2b7471a09ef
Author: Simon Josefsson <simon@josefsson.org>
Date: Fri Jan 29 09:27:23 2021 +0100
Add NEWS entry for telnetd vulnerability.
diff --git a/NEWS b/NEWS
index 938cfa2..a750d81 100644
--- a/NEWS
+++ b/NEWS
@@ -127,6 +127,13 @@ Causes problems when sending binary data through telnet
connections.
* telnetd
+** Fix BraveStarr telnetd remote exploit CVE-2020-10188.
+
+We used Debian's patch which is based on a patch to NetKit, see:
+https://nvd.nist.gov/vuln/detail/CVE-2020-10188
+https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html
+https://src.fedoraproject.org/rpms/telnet/raw/master/f/telnet-0.17-overflow-exploit.patch
+
** Use tty, not pty on Solaris.
Setting of terminal attributes as well setting of window size must be
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=cd7e7e685daeafb68f19347747af6340731a4518
commit cd7e7e685daeafb68f19347747af6340731a4518
Author: Michal Ruprich <michalruprich@gmail.com>
Date: Sun Apr 12 22:41:50 2020 +0200
telnetd: Fix arbitrary remote code execution via short writes or urgent data
Fixes: CVE-2020-10188
Closes: #956084
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10188
Patch-Origin: Fedora / RedHat
Patch-URL:
https://src.fedoraproject.org/rpms/telnet/raw/master/f/telnet-0.17-overflow-exploit.patch
Signed-off-by: Simon Josefsson <simon@josefsson.org>
diff --git a/telnetd/telnetd.h b/telnetd/telnetd.h
index 065b5cb..4d5876c 100644
--- a/telnetd/telnetd.h
+++ b/telnetd/telnetd.h
@@ -271,7 +271,7 @@ void io_drain (void);
int stilloob (int s);
void ptyflush (void);
-char *nextitem (char *current);
+char *nextitem (char *current, const char *endp);
void netclear (void);
void netflush (void);
diff --git a/telnetd/utility.c b/telnetd/utility.c
index 32bcc11..fc82cf3 100644
--- a/telnetd/utility.c
+++ b/telnetd/utility.c
@@ -487,10 +487,14 @@ stilloob (int s)
* character.
*/
char *
-nextitem (char *current)
+nextitem (char *current, const char *endp)
{
+ if (current >= endp)
+ return NULL;
if ((*current & 0xff) != IAC)
return current + 1;
+ if (current + 1 >= endp)
+ return NULL;
switch (*(current + 1) & 0xff)
{
@@ -498,19 +502,20 @@ nextitem (char *current)
case DONT:
case WILL:
case WONT:
- return current + 3;
+ return current + 3 <= endp ? current + 3 : NULL;
case SB: /* loop forever looking for the SE */
{
char *look = current + 2;
- for (;;)
- if ((*look++ & 0xff) == IAC && (*look++ & 0xff) == SE)
+ while (look < endp)
+ if ((*look++ & 0xff) == IAC && look < endp && (*look++ & 0xff) == SE)
return look;
- default:
- return current + 2;
+ return NULL;
}
+ default:
+ return current + 2 <= endp ? current + 2 : NULL;
}
} /* end of nextitem */
@@ -532,8 +537,9 @@ nextitem (char *current)
* us in any case.
*/
#define wewant(p) \
- ((nfrontp > p) && ((*p&0xff) == IAC) && \
- ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
+ ((nfrontp > p) && ((*p & 0xff) == IAC) && \
+ (nfrontp > p + 1 && (((*(p + 1) & 0xff) != EC) && \
+ ((*(p + 1) & 0xff) != EL))))
void
@@ -548,7 +554,7 @@ netclear (void)
thisitem = netobuf;
#endif /* ENCRYPTION */
- while ((next = nextitem (thisitem)) <= nbackp)
+ while ((next = nextitem (thisitem, nbackp)) != NULL && next <= nbackp)
thisitem = next;
/* Now, thisitem is first before/at boundary. */
@@ -559,15 +565,18 @@ netclear (void)
good = netobuf; /* where the good bytes go */
#endif /* ENCRYPTION */
- while (nfrontp > thisitem)
+ while (thisitem != NULL && nfrontp > thisitem)
{
if (wewant (thisitem))
{
int length;
- for (next = thisitem; wewant (next) && nfrontp > next;
- next = nextitem (next))
+ for (next = thisitem;
+ next != NULL && wewant (next) && nfrontp > next;
+ next = nextitem (next, nfrontp))
;
+ if (next == NULL)
+ next = nfrontp;
length = next - thisitem;
memmove (good, thisitem, length);
@@ -576,7 +585,7 @@ netclear (void)
}
else
{
- thisitem = nextitem (thisitem);
+ thisitem = nextitem (thisitem, nfrontp);
}
}
-----------------------------------------------------------------------
Summary of changes:
NEWS | 7 +++++++
telnetd/telnetd.h | 2 +-
telnetd/utility.c | 35 ++++++++++++++++++++++-------------
3 files changed, 30 insertions(+), 14 deletions(-)
hooks/post-receive
--
GNU Inetutils
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU Inetutils branch, master, updated. v1.9.4.90-17-ga553210,
Simon Josefsson <=