From ca01740dc240b61acb50da4e074822590583f7ae Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 30 2021 15:11:05 +0000 Subject: import telnet-0.17-76.el8 --- diff --git a/SOURCES/telnet-0.17-pty-retry.patch b/SOURCES/telnet-0.17-pty-retry.patch new file mode 100644 index 0000000..0d787f4 --- /dev/null +++ b/SOURCES/telnet-0.17-pty-retry.patch @@ -0,0 +1,42 @@ +--- a/telnetd/telnetd.c ++++ b/telnetd/telnetd.c +@@ -772,7 +772,6 @@ void telnet(int f, int p) + int on = 1; + char *HE; + const char *IM; +- int pty_read_ok = 0; /* track whether the pty read has worked yet */ + + /* + * Initialize the slc mapping table. +@@ -1086,19 +1085,24 @@ void telnet(int f, int p) + * Something to read from the pty... + */ + if (FD_ISSET(p, &ibits)) { ++ int eio = 0; ++read_pty: + pcc = read(p, ptyibuf, BUFSIZ); +- /* +- * On some systems, if we try to read something +- * off the master side before the slave side is +- * opened, we get EIO. +- */ +- if (pcc < 0 && (errno == EWOULDBLOCK || (errno == EIO && pty_read_ok == 0))) { ++ if (pcc < 0 && errno == EWOULDBLOCK) { + pcc = 0; + } ++ /* ++ * If we try to read something off the master side while the slave ++ * side is temporarily closed by login process, we get EIO. ++ */ ++ else if (pcc < 0 && errno == EIO && eio < 1000) { ++ eio++; ++ poll(NULL, 0, 10); ++ goto read_pty; ++ } + else { + if (pcc <= 0) + break; +- pty_read_ok = 1; /* mark connection up for read */ + #ifdef LINEMODE + /* + * If ioctl from pty, pass it through net diff --git a/SOURCES/telnet-0.17-sigpipe-segfault.patch b/SOURCES/telnet-0.17-sigpipe-segfault.patch new file mode 100644 index 0000000..1570ab0 --- /dev/null +++ b/SOURCES/telnet-0.17-sigpipe-segfault.patch @@ -0,0 +1,15 @@ +diff --git a/telnet/sys_bsd.c.old b/telnet/sys_bsd.c +index 9e05171..39845ac 100644 +--- a/telnet/sys_bsd.c.old ++++ b/telnet/sys_bsd.c +@@ -833,6 +833,10 @@ NetSetPgrp(int fd) + void + deadpeer(int sig) + { ++ if(sig == SIGPIPE) { ++ signal(SIGPIPE, SIG_DFL); ++ fprintf(stderr, "Broken pipe\n"); ++ } + (void)sig; + setcommandmode(); + siglongjmp(peerdied, -1); diff --git a/SPECS/telnet.spec b/SPECS/telnet.spec index eedcc93..1251c1d 100644 --- a/SPECS/telnet.spec +++ b/SPECS/telnet.spec @@ -3,7 +3,7 @@ Summary: The client program for the Telnet remote login protocol Name: telnet Version: 0.17 -Release: 73%{?dist}.1 +Release: 76%{?dist} Epoch: 1 License: BSD Group: Applications/Internet @@ -42,6 +42,8 @@ Patch30: netkit-telnet-0.17-manpage.patch Patch31: netkit-telnet-0.17-covscan.patch Patch32: telnet-log-address.patch Patch33: telnet-0.17-overflow-exploit.patch +Patch34: telnet-0.17-pty-retry.patch +Patch35: telnet-0.17-sigpipe-segfault.patch BuildRequires: ncurses-devel systemd BuildRequires: perl-interpreter @@ -99,6 +101,8 @@ mv telnet telnet-NETKIT %patch31 -p1 -b .covscan %patch32 -p1 -b .log-address %patch33 -p1 -b .overflow +%patch34 -p1 -b .pty-retry +%patch35 -p1 -b .sigpipe %build %ifarch s390 s390x @@ -164,8 +168,14 @@ install -p -m644 %SOURCE6 ${RPM_BUILD_ROOT}%{_unitdir}/telnet.socket %{_mandir}/man8/telnetd.8* %changelog -* Thu Mar 26 2020 Michal Ruprich - 1:0.17-73.1 -- Resolves: #1814473 - Arbitrary remote code execution in utility.c via short writes or urgent data +* Tue Dec 15 2020 Michal Ruprich - 1:0.17-76 +- Resolves: #1895387 - telnet crashes on stack overflow due to infinite recursion + +* Tue Oct 27 2020 Michal Ruprich - 1:0.17-75 +- Resolves: #1881335 - in.telnetd needs to tolerate temporary EIO errors + +* Thu Mar 26 2020 Michal Ruprich - 1:0.17-74 +- Resolves: #1814474 - Arbitrary remote code execution in utility.c via short writes or urgent data * Thu Oct 04 2018 Michal Ruprich - 1:0.17-73 - Resolves: #1602711 - Please review important issues found by covscan