From f4defd972f9b0fc10d26e41a453713b94414d860 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 06 2020 12:23:56 +0000 Subject: import telnet-0.17-65.el7_8 --- diff --git a/SOURCES/telnet-0.17-overflow-exploit.patch b/SOURCES/telnet-0.17-overflow-exploit.patch new file mode 100644 index 0000000..fc273d5 --- /dev/null +++ b/SOURCES/telnet-0.17-overflow-exploit.patch @@ -0,0 +1,92 @@ +diff -up netkit-telnet-0.17/telnetd/utility.c.orig netkit-telnet-0.17/telnetd/utility.c +--- netkit-telnet-0.17/telnetd/utility.c.orig 2020-03-25 11:53:56.772624325 +0100 ++++ netkit-telnet-0.17/telnetd/utility.c 2020-03-25 11:54:01.966601415 +0100 +@@ -221,31 +221,38 @@ void ptyflush(void) + */ + static + char * +-nextitem(char *current) ++nextitem(char *current, const char *endp) + { ++ if (current >= endp) { ++ return NULL; ++ } + if ((*current&0xff) != IAC) { + return current+1; + } ++ if (current+1 >= endp) { ++ return NULL; ++ } + switch (*(current+1)&0xff) { + case DO: + case DONT: + case WILL: + case WONT: +- return current+3; ++ return current+3 <= endp ? current+3 : NULL; + case SB: /* loop forever looking for the SE */ + { + register char *look = current+2; + +- for (;;) { ++ while (look < endp) { + if ((*look++&0xff) == IAC) { +- if ((*look++&0xff) == SE) { ++ if (look < endp && (*look++&0xff) == SE) { + return look; + } + } + } ++ return NULL; + } + default: +- return current+2; ++ return current+2 <= endp ? current+2 : NULL; + } + } /* end of nextitem */ + +@@ -271,7 +278,7 @@ void netclear(void) + register char *thisitem, *next; + char *good; + #define wewant(p) ((nfrontp > p) && ((*p&0xff) == IAC) && \ +- ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL)) ++ (nfrontp > p+1 && (((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL)))) + + #if defined(ENCRYPT) + thisitem = nclearto > netobuf ? nclearto : netobuf; +@@ -279,7 +286,7 @@ void netclear(void) + thisitem = netobuf; + #endif + +- while ((next = nextitem(thisitem)) <= nbackp) { ++ while ((next = nextitem(thisitem, nbackp)) != NULL && next <= nbackp) { + thisitem = next; + } + +@@ -291,20 +298,23 @@ void netclear(void) + good = netobuf; /* where the good bytes go */ + #endif + +- while (nfrontp > thisitem) { ++ while (thisitem != NULL && nfrontp > thisitem) { + if (wewant(thisitem)) { + int length; + + next = thisitem; + do { +- next = nextitem(next); +- } while (wewant(next) && (nfrontp > next)); ++ next = nextitem(next, nfrontp); ++ } while (next != NULL && wewant(next) && (nfrontp > next)); ++ if (next == NULL) { ++ next = nfrontp; ++ } + length = next-thisitem; + bcopy(thisitem, good, length); + good += length; + thisitem = next; + } else { +- thisitem = nextitem(thisitem); ++ thisitem = nextitem(thisitem, nfrontp); + } + } diff --git a/SPECS/telnet.spec b/SPECS/telnet.spec index faeab18..d66508b 100644 --- a/SPECS/telnet.spec +++ b/SPECS/telnet.spec @@ -3,7 +3,7 @@ Summary: The client program for the Telnet remote login protocol Name: telnet Version: 0.17 -Release: 64%{?dist} +Release: 65%{?dist} Epoch: 1 License: BSD Group: Applications/Internet @@ -38,6 +38,7 @@ Patch26: telnet-rh825946.patch Patch27: telnet-log-address.patch Patch28: telnet-0.17-force-ipv6-ipv4.patch Patch29: netkit-telnet-0.17-manpage.patch +Patch30: telnet-0.17-overflow-exploit.patch BuildRequires: ncurses-devel systemd @@ -90,6 +91,7 @@ mv telnet telnet-NETKIT %patch27 -p1 -b .rh1323094 %patch28 -p1 -b .ipv6-support %patch29 -p1 -b .manpage +%patch30 -p1 -b .overflow %build %ifarch s390 s390x @@ -155,6 +157,9 @@ install -p -m644 %SOURCE6 ${RPM_BUILD_ROOT}%{_unitdir}/telnet.socket %{_mandir}/man8/telnetd.8* %changelog +* Thu Mar 26 2020 Michal Ruprich - 1:0.17-65 +- Resolves: #1814475 - Arbitrary remote code execution in utility.c via short writes or urgent data + * Wed Apr 19 2017 Michal Ruprich - 1:0.17-64 - Related: #1367415 - No option to specify IPv6 or IPv4 explicitly must be used - more clear formulation of man page note - previous note was a bit ambiguous