diff options
| author | Guillem Jover <guillem@debian.org> | 2022-08-28 15:07:29 +0200 |
|---|---|---|
| committer | Guillem Jover <guillem@debian.org> | 2022-08-28 15:07:29 +0200 |
| commit | 113da8021710d871c7dd72d2a4d5615d42d64289 (patch) | |
| tree | fb8bf8de009bb9f238ad3173304d3eb524d9622b | |
| parent | a2ed38e1e84ed4f48db399176bde490b2395ddaf (diff) | |
Fix remote DoS vulnerability in inetutils-telnetd
This is caused by a crash by a NULL pointer dereference when sending
the byte sequences «0xff 0xf7» or «0xff 0xf8».
Found-by: Pierre Kim and Alexandre Torres
Patch-adapted-by: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
| -rw-r--r-- | debian/changelog | 9 | ||||
| -rw-r--r-- | debian/patches/inetutils-telnetd-EC_EL_null_deref.patch | 43 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
3 files changed, 53 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index e7f37f4..7771d61 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +inetutils (2:2.3-5) UNRELEASED; urgency=medium + + * Fix remote DoS vulnerability in inetutils-telnetd, caused by a crash by + a NULL pointer dereference when sending the byte sequences «0xff 0xf7» + or «0xff 0xf8». Found by Pierre Kim and Alexandre Torres. Patch + adapted by Erik Auerswald <auerswal@unix-ag.uni-kl.de>. + + -- Guillem Jover <guillem@debian.org> Sun, 28 Aug 2022 14:51:13 +0200 + inetutils (2:2.3-4) unstable; urgency=medium * Set telnet and telnetd Section to oldlibs. diff --git a/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch b/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch new file mode 100644 index 0000000..fac5e3f --- /dev/null +++ b/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch @@ -0,0 +1,43 @@ +Description: Fix remote DoS vulnerability in inetutils-telnetd + This is caused by a crash by a NULL pointer dereference when sending the + byte sequences «0xff 0xf7» or «0xff 0xf8». +Authors: + Pierre Kim (original patch), + Alexandre Torres (original patch), + Erik Auerswald <auerswal@unix-ag.uni-kl.de> (adapted patch), +Reviewed-by: Erik Auerswald <auerswal@unix-ag.uni-kl.de> +Origin: upstream +Ref: https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html +Forwarded: https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html +Last-Update: 2022-08-28 + + +diff --git a/telnetd/state.c b/telnetd/state.c +index ffc6cbaf..c2d760f8 100644 +--- a/telnetd/state.c ++++ b/telnetd/state.c +@@ -312,15 +312,21 @@ telrcv (void) + case EC: + case EL: + { +- cc_t ch; ++ cc_t ch = (cc_t) (_POSIX_VDISABLE); + + DEBUG (debug_options, 1, printoption ("td: recv IAC", c)); + ptyflush (); /* half-hearted */ + init_termbuf (); + if (c == EC) +- ch = *slctab[SLC_EC].sptr; ++ { ++ if (slctab[SLC_EC].sptr) ++ ch = *slctab[SLC_EC].sptr; ++ } + else +- ch = *slctab[SLC_EL].sptr; ++ { ++ if (slctab[SLC_EL].sptr) ++ ch = *slctab[SLC_EL].sptr; ++ } + if (ch != (cc_t) (_POSIX_VDISABLE)) + pty_output_byte ((unsigned char) ch); + break; diff --git a/debian/patches/series b/debian/patches/series index cf01827..5aeff0b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,4 +4,5 @@ 0003-inetd-Change-protocol-semantics-in-inetd.conf.patch 0004-telnet-Add-checks-for-option-reply-parsing-limits.patch 0005-Use-krb5_auth_con_getsendsubkey-instead-of-krb5_auth.patch +inetutils-telnetd-EC_EL_null_deref.patch # Upstream git |