diff options
author | Minjae Kim <flowergom@gmail.com> | 2022-09-26 23:33:08 +0200 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2022-09-26 12:29:44 -1000 |
commit | 1c385e70d4bfab2334361ba82f29988bb11d6902 (patch) | |
tree | 54b56b287197b76be3c428eb8abc35c6973092f1 | |
parent | ef38f7acee3f0ae400138fa60f4695a86dffc16e (diff) | |
download | openembedded-core-contrib-1c385e70d4bfab2334361ba82f29988bb11d6902.tar.gz |
inetutils: CVE-2022-39028 - fix remote DoS vulnerability in inetutils-telnetd
Fix telnetd crash if the first two bytes of a new connection
are 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL).
CVE: CVE-2022-39028
Signed-off-by:Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch | 54 | ||||
-rw-r--r-- | meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb | 1 |
2 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch new file mode 100644 index 0000000000..da2da8da8a --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch @@ -0,0 +1,54 @@ +From eaae65aac967f9628787dca4a2501ca860bb6598 Mon Sep 17 00:00:00 2001 +From: Minjae Kim <flowergom@gmail.com> +Date: Mon, 26 Sep 2022 22:05:07 +0200 +Subject: [PATCH] telnetd: Handle early IAC EC or IAC EL receipt + +Fix telnetd crash if the first two bytes of a new connection +are 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL). + +The problem was reported in: +<https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html>. + +* NEWS: Mention fix. +* telnetd/state.c (telrcv): Handle zero slctab[SLC_EC].sptr and +zero slctab[SLC_EL].sptr. + +CVE: CVE-2022-39028 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=fae8263e467380483c28513c0e5fac143e46f94f] +Signed-off-by: Minjae Kim<flowergom@gmail.com> +--- + telnetd/state.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/telnetd/state.c b/telnetd/state.c +index 2184bca..7948503 100644 +--- a/telnetd/state.c ++++ b/telnetd/state.c +@@ -314,15 +314,21 @@ telrcv (void) + case EC: + case EL: + { +- cc_t ch; ++ cc_t ch = (cc_t) (_POSIX_VDISABLE); + + DEBUG (debug_options, 1, printoption ("td: recv IAC", c)); + ptyflush (); /* half-hearted */ + init_termbuf (); + if (c == EC) +- ch = *slctab[SLC_EC].sptr; ++ { ++ if (slctab[SLC_EC].sptr) ++ ch = *slctab[SLC_EC].sptr; ++ } + else +- ch = *slctab[SLC_EL].sptr; ++ { ++ if (slctab[SLC_EL].sptr) ++ ch = *slctab[SLC_EL].sptr; ++ } + if (ch != (cc_t) (_POSIX_VDISABLE)) + pty_output_byte ((unsigned char) ch); + break; +-- +2.25.1 + diff --git a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb b/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb index f4450e19f4..fe391b8bce 100644 --- a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb +++ b/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb @@ -24,6 +24,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.gz \ file://0001-rcp-fix-to-work-with-large-files.patch \ file://fix-buffer-fortify-tfpt.patch \ file://CVE-2021-40491.patch \ + file://CVE-2022-39028.patch \ " SRC_URI[md5sum] = "04852c26c47cc8c6b825f2b74f191f52" |