mirror of
https://git.yoctoproject.org/poky
synced 2026-04-21 03:32:12 +02:00
inetutils: CVE-2022-39028 - fix remote DoS vulnerability in inetutils-telnetd
Fix telnetd crash if the first two bytes of a new connection are 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL). CVE: CVE-2022-39028 (From OE-Core rev: 1c385e70d4bfab2334361ba82f29988bb11d6902) Signed-off-by:Minjae Kim <flowergom@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Minjae Kim
committed by
Richard Purdie
Richard Purdie
parent
d7194226b1
commit
243a95b193
@@ -0,0 +1,54 @@
|
||||
From eaae65aac967f9628787dca4a2501ca860bb6598 Mon Sep 17 00:00:00 2001
|
||||
From: Minjae Kim <flowergom@gmail.com>
|
||||
Date: Mon, 26 Sep 2022 22:05:07 +0200
|
||||
Subject: [PATCH] telnetd: Handle early IAC EC or IAC EL receipt
|
||||
|
||||
Fix telnetd crash if the first two bytes of a new connection
|
||||
are 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL).
|
||||
|
||||
The problem was reported in:
|
||||
<https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html>.
|
||||
|
||||
* NEWS: Mention fix.
|
||||
* telnetd/state.c (telrcv): Handle zero slctab[SLC_EC].sptr and
|
||||
zero slctab[SLC_EL].sptr.
|
||||
|
||||
CVE: CVE-2022-39028
|
||||
Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=fae8263e467380483c28513c0e5fac143e46f94f]
|
||||
Signed-off-by: Minjae Kim<flowergom@gmail.com>
|
||||
---
|
||||
telnetd/state.c | 12 +++++++++---
|
||||
1 file changed, 9 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/telnetd/state.c b/telnetd/state.c
|
||||
index 2184bca..7948503 100644
|
||||
--- a/telnetd/state.c
|
||||
+++ b/telnetd/state.c
|
||||
@@ -314,15 +314,21 @@ telrcv (void)
|
||||
case EC:
|
||||
case EL:
|
||||
{
|
||||
- cc_t ch;
|
||||
+ cc_t ch = (cc_t) (_POSIX_VDISABLE);
|
||||
|
||||
DEBUG (debug_options, 1, printoption ("td: recv IAC", c));
|
||||
ptyflush (); /* half-hearted */
|
||||
init_termbuf ();
|
||||
if (c == EC)
|
||||
- ch = *slctab[SLC_EC].sptr;
|
||||
+ {
|
||||
+ if (slctab[SLC_EC].sptr)
|
||||
+ ch = *slctab[SLC_EC].sptr;
|
||||
+ }
|
||||
else
|
||||
- ch = *slctab[SLC_EL].sptr;
|
||||
+ {
|
||||
+ if (slctab[SLC_EL].sptr)
|
||||
+ ch = *slctab[SLC_EL].sptr;
|
||||
+ }
|
||||
if (ch != (cc_t) (_POSIX_VDISABLE))
|
||||
pty_output_byte ((unsigned char) ch);
|
||||
break;
|
||||
--
|
||||
2.25.1
|
||||
|
||||
@@ -24,6 +24,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.gz \
|
||||
file://0001-rcp-fix-to-work-with-large-files.patch \
|
||||
file://fix-buffer-fortify-tfpt.patch \
|
||||
file://CVE-2021-40491.patch \
|
||||
file://CVE-2022-39028.patch \
|
||||
"
|
||||
|
||||
SRC_URI[md5sum] = "04852c26c47cc8c6b825f2b74f191f52"
|
||||
|
||||
Reference in New Issue
Block a user