diff --git a/SOURCES/telnet-0.17-overflow-exploit.patch b/SOURCES/telnet-0.17-overflow-exploit.patch
new file mode 100644
index 0000000..fc273d5
--- /dev/null
+++ b/SOURCES/telnet-0.17-overflow-exploit.patch
@@ -0,0 +1,92 @@
+diff -up netkit-telnet-0.17/telnetd/utility.c.orig netkit-telnet-0.17/telnetd/utility.c
+--- netkit-telnet-0.17/telnetd/utility.c.orig 2020-03-25 11:53:56.772624325 +0100
++++ netkit-telnet-0.17/telnetd/utility.c 2020-03-25 11:54:01.966601415 +0100
+@@ -221,31 +221,38 @@ void ptyflush(void)
+ */
+ static
+ char *
+-nextitem(char *current)
++nextitem(char *current, const char *endp)
+ {
++ if (current >= endp) {
++ return NULL;
++ }
+ if ((*current&0xff) != IAC) {
+ return current+1;
+ }
++ if (current+1 >= endp) {
++ return NULL;
++ }
+ switch (*(current+1)&0xff) {
+ case DO:
+ case DONT:
+ case WILL:
+ case WONT:
+- return current+3;
++ return current+3 <= endp ? current+3 : NULL;
+ case SB: /* loop forever looking for the SE */
+ {
+ register char *look = current+2;
+
+- for (;;) {
++ while (look < endp) {
+ if ((*look++&0xff) == IAC) {
+- if ((*look++&0xff) == SE) {
++ if (look < endp && (*look++&0xff) == SE) {
+ return look;
+ }
+ }
+ }
++ return NULL;
+ }
+ default:
+- return current+2;
++ return current+2 <= endp ? current+2 : NULL;
+ }
+ } /* end of nextitem */
+
+@@ -271,7 +278,7 @@ void netclear(void)
+ register char *thisitem, *next;
+ char *good;
+ #define wewant(p) ((nfrontp > p) && ((*p&0xff) == IAC) && \
+- ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
++ (nfrontp > p+1 && (((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))))
+
+ #if defined(ENCRYPT)
+ thisitem = nclearto > netobuf ? nclearto : netobuf;
+@@ -279,7 +286,7 @@ void netclear(void)
+ thisitem = netobuf;
+ #endif
+
+- while ((next = nextitem(thisitem)) <= nbackp) {
++ while ((next = nextitem(thisitem, nbackp)) != NULL && next <= nbackp) {
+ thisitem = next;
+ }
+
+@@ -291,20 +298,23 @@ void netclear(void)
+ good = netobuf; /* where the good bytes go */
+ #endif
+
+- while (nfrontp > thisitem) {
++ while (thisitem != NULL && nfrontp > thisitem) {
+ if (wewant(thisitem)) {
+ int length;
+
+ next = thisitem;
+ do {
+- next = nextitem(next);
+- } while (wewant(next) && (nfrontp > next));
++ next = nextitem(next, nfrontp);
++ } while (next != NULL && wewant(next) && (nfrontp > next));
++ if (next == NULL) {
++ next = nfrontp;
++ }
+ length = next-thisitem;
+ bcopy(thisitem, good, length);
+ good += length;
+ thisitem = next;
+ } else {
+- thisitem = nextitem(thisitem);
++ thisitem = nextitem(thisitem, nfrontp);
+ }
+ }
diff --git a/SPECS/telnet.spec b/SPECS/telnet.spec
index 2de1383..eedcc93 100644
--- a/SPECS/telnet.spec
+++ b/SPECS/telnet.spec
@@ -3,7 +3,7 @@
Summary: The client program for the Telnet remote login protocol
Name: telnet
Version: 0.17
-Release: 73%{?dist}
+Release: 73%{?dist}.1
Epoch: 1
License: BSD
Group: Applications/Internet
@@ -41,6 +41,7 @@ Patch29: netkit-telnet-0.17-gcc7.patch
Patch30: netkit-telnet-0.17-manpage.patch
Patch31: netkit-telnet-0.17-covscan.patch
Patch32: telnet-log-address.patch
+Patch33: telnet-0.17-overflow-exploit.patch
BuildRequires: ncurses-devel systemd
BuildRequires: perl-interpreter
@@ -97,6 +98,7 @@ mv telnet telnet-NETKIT
%patch30 -p1 -b .manpage
%patch31 -p1 -b .covscan
%patch32 -p1 -b .log-address
+%patch33 -p1 -b .overflow
%build
%ifarch s390 s390x
@@ -162,6 +164,9 @@ install -p -m644 %SOURCE6 ${RPM_BUILD_ROOT}%{_unitdir}/telnet.socket
%{_mandir}/man8/telnetd.8*
%changelog
+* Thu Mar 26 2020 Michal Ruprich <michalruprich@gmail.com> - 1:0.17-73.1
+- Resolves: #1814473 - Arbitrary remote code execution in utility.c via short writes or urgent data
+
* Thu Oct 04 2018 Michal Ruprich <mruprich@redhat.com> - 1:0.17-73
- Resolves: #1602711 - Please review important issues found by covscan
- Resolves: #1637085 - Option -i is missing in telnet in el8 but is available in el7