netkit-telnet: fix CVE-2020-10188

Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-10188 Patch from Fedora: https://src.fedoraproject.org/rpms/telnet/raw/master/f/telnet-0.17-overflow-exploit.patch Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Yi Zhao <yi.zhao@windriver.com> 2020-04-24 10:07:13 +0800
committer: Khem Raj <raj.khem@gmail.com> 2020-04-25 08:32:42 -0700
commit: 9bfc740863dd5adb89987d9ac5cdf0b655d4f261 (patch)
tree: 8b47a8837246f6ad006d95e2d9d4fa14c71138a2
parent: 652c27ebb464f4d6104dfbb610569ffd5ec1bfc1 (diff)
download: meta-openembedded-9bfc740863dd5adb89987d9ac5cdf0b655d4f261.tar.gz
2 files changed, 113 insertions, 0 deletions
diff --git a/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2020-10188.patch b/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2020-10188.patch
new file mode 100644
index 000000000..d21c60274
--- /dev/null
+++ b/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2020-10188.patch
@@ -0,0 +1,112 @@
+From 6ab007dbb1958371abff2eaaad2b26da89b3c74e Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 24 Apr 2020 09:43:44 +0800
+Subject: [PATCH] telnetd/utility.c: fix CVE-2020-10188
+Upstream-Status: Backport
+[Fedora: https://src.fedoraproject.org/rpms/telnet/raw/master/f/telnet-0.17-overflow-exploit.patch]
+CVE: CVE-2020-10188
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ telnetd/utility.c | 32 +++++++++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+diff --git a/telnetd/utility.c b/telnetd/utility.c
+index 75314cb..b9a46a6 100644
+--- a/telnetd/utility.c
+++ b/telnetd/utility.c
+@@ -169,31 +169,38 @@ void      ptyflush(void)
+  */
+ static
+ char *
+-nextitem(char *current)
+nextitem(char *current, const char *endp)
+ {
+    if (current >= endp) {
+        return NULL;
+    }
+     if ((*current&0xff) != IAC) {
+        return current+1;
+     }
+    if (current+1 >= endp) {
+        return NULL;
+    }
+     switch (*(current+1)&0xff) {
+     case DO:
+     case DONT:
+     case WILL:
+     case WONT:
+-       return current+3;
+       return current+3 <= endp ? current+3 : NULL;
+     case SB:           /* loop forever looking for the SE */
+        {
+            register char *look = current+2;
+ 
+-           for (;;) {
+           while (look < endp) {
+                if ((*look++&0xff) == IAC) {
+-                   if ((*look++&0xff) == SE) {
+                   if (look < endp && (*look++&0xff) == SE) {
+                        return look;
+                    }
+                }
+            }
+           return NULL;
+        }
+     default:
+-       return current+2;
+       return current+2 <= endp ? current+2 : NULL;
+     }
+ }  /* end of nextitem */
+ 
+@@ -219,7 +226,7 @@ void netclear(void)
+     register char *thisitem, *next;
+     char *good;
+ #define        wewant(p)       ((nfrontp > p) && ((*p&0xff) == IAC) && \
+-                               ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
+                               (nfrontp > p+1 && (((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))))
+ 
+ #if    defined(ENCRYPT)
+     thisitem = nclearto > netobuf ? nclearto : netobuf;
+@@ -227,7 +234,7 @@ void netclear(void)
+     thisitem = netobuf;
+ #endif
+ 
+-    while ((next = nextitem(thisitem)) <= nbackp) {
+    while ((next = nextitem(thisitem, nbackp)) != NULL && next <= nbackp) {
+        thisitem = next;
+     }
+ 
+@@ -239,20 +246,23 @@ void netclear(void)
+     good = netobuf;    /* where the good bytes go */
+ #endif
+ 
+-    while (nfrontp > thisitem) {
+    while (thisitem != NULL && nfrontp > thisitem) {
+        if (wewant(thisitem)) {
+            int length;
+ 
+            next = thisitem;
+            do {
+-               next = nextitem(next);
+-           } while (wewant(next) && (nfrontp > next));
+               next = nextitem(next, nfrontp);
+           } while (next != NULL && wewant(next) && (nfrontp > next));
+           if (next == NULL) {
+               next = nfrontp;
+           }
+            length = next-thisitem;
+            bcopy(thisitem, good, length);
+            good += length;
+            thisitem = next;
+        } else {
+-           thisitem = nextitem(thisitem);
+           thisitem = nextitem(thisitem, nfrontp);
+        }
+     }
+ 
+-- 
+2.7.4
diff --git a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb
index ffd3b48e8..0e92add63 100644
--- a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb
+++ b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb
@@ -12,6 +12,7 @@ SRC_URI = "http://ftp.linux.org.uk/pub/linux/Networking/netkit/${BP}.tar.gz \
           file://cross-compile.patch \
           file://0001-telnet-telnetd-Fix-print-format-strings.patch \
           file://0001-telnet-telnetd-Fix-deadlock-on-cleanup.patch \
+           file://CVE-2020-10188.patch \
           "
 UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/"
author	Yi Zhao <yi.zhao@windriver.com>	2020-04-24 10:07:13 +0800
committer	Khem Raj <raj.khem@gmail.com>	2020-04-25 08:32:42 -0700
commit	9bfc740863dd5adb89987d9ac5cdf0b655d4f261 (patch)
tree	8b47a8837246f6ad006d95e2d9d4fa14c71138a2
parent	652c27ebb464f4d6104dfbb610569ffd5ec1bfc1 (diff)
download	meta-openembedded-9bfc740863dd5adb89987d9ac5cdf0b655d4f261.tar.gz

diff --git a/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2020-10188.patch b/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2020-10188.patch new file mode 100644 index 000000000..d21c60274 --- /dev/null +++ b/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2020-10188.patch
@@ -0,0 +1,112 @@
		1	From 6ab007dbb1958371abff2eaaad2b26da89b3c74e Mon Sep 17 00:00:00 2001
		2	From: Yi Zhao <yi.zhao@windriver.com>
		3	Date: Fri, 24 Apr 2020 09:43:44 +0800
		4	Subject: [PATCH] telnetd/utility.c: fix CVE-2020-10188
		5
		6	Upstream-Status: Backport
		7	[Fedora: https://src.fedoraproject.org/rpms/telnet/raw/master/f/telnet-0.17-overflow-exploit.patch]
		8
		9	CVE: CVE-2020-10188
		10
		11	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		12	---
		13	telnetd/utility.c \| 32 +++++++++++++++++++++-----------
		14	1 file changed, 21 insertions(+), 11 deletions(-)
		15
		16	diff --git a/telnetd/utility.c b/telnetd/utility.c
		17	index 75314cb..b9a46a6 100644
		18	--- a/telnetd/utility.c
		19	+++ b/telnetd/utility.c
		20	@@ -169,31 +169,38 @@ void ptyflush(void)
		21	*/
		22	static
		23	char *
		24	-nextitem(char *current)
		25	+nextitem(char current, const char endp)
		26	{
		27	+ if (current >= endp) {
		28	+ return NULL;
		29	+ }
		30	if ((*current&0xff) != IAC) {
		31	return current+1;
		32	}
		33	+ if (current+1 >= endp) {
		34	+ return NULL;
		35	+ }
		36	switch (*(current+1)&0xff) {
		37	case DO:
		38	case DONT:
		39	case WILL:
		40	case WONT:
		41	- return current+3;
		42	+ return current+3 <= endp ? current+3 : NULL;
		43	case SB: /* loop forever looking for the SE */
		44	{
		45	register char *look = current+2;
		46
		47	- for (;;) {
		48	+ while (look < endp) {
		49	if ((*look++&0xff) == IAC) {
		50	- if ((*look++&0xff) == SE) {
		51	+ if (look < endp && (*look++&0xff) == SE) {
		52	return look;
		53	}
		54	}
		55	}
		56	+ return NULL;
		57	}
		58	default:
		59	- return current+2;
		60	+ return current+2 <= endp ? current+2 : NULL;
		61	}
		62	} /* end of nextitem */
		63
		64	@@ -219,7 +226,7 @@ void netclear(void)
		65	register char thisitem, next;
		66	char *good;
		67	#define wewant(p) ((nfrontp > p) && ((*p&0xff) == IAC) && \
		68	- (((p+1)&0xff) != EC) && (((p+1)&0xff) != EL))
		69	+ (nfrontp > p+1 && ((((p+1)&0xff) != EC) && (((p+1)&0xff) != EL))))
		70
		71	#if defined(ENCRYPT)
		72	thisitem = nclearto > netobuf ? nclearto : netobuf;
		73	@@ -227,7 +234,7 @@ void netclear(void)
		74	thisitem = netobuf;
		75	#endif
		76
		77	- while ((next = nextitem(thisitem)) <= nbackp) {
		78	+ while ((next = nextitem(thisitem, nbackp)) != NULL && next <= nbackp) {
		79	thisitem = next;
		80	}
		81
		82	@@ -239,20 +246,23 @@ void netclear(void)
		83	good = netobuf; /* where the good bytes go */
		84	#endif
		85
		86	- while (nfrontp > thisitem) {
		87	+ while (thisitem != NULL && nfrontp > thisitem) {
		88	if (wewant(thisitem)) {
		89	int length;
		90
		91	next = thisitem;
		92	do {
		93	- next = nextitem(next);
		94	- } while (wewant(next) && (nfrontp > next));
		95	+ next = nextitem(next, nfrontp);
		96	+ } while (next != NULL && wewant(next) && (nfrontp > next));
		97	+ if (next == NULL) {
		98	+ next = nfrontp;
		99	+ }
		100	length = next-thisitem;
		101	bcopy(thisitem, good, length);
		102	good += length;
		103	thisitem = next;
		104	} else {
		105	- thisitem = nextitem(thisitem);
		106	+ thisitem = nextitem(thisitem, nfrontp);
		107	}
		108	}
		109
		110	--
		111	2.7.4
		112


diff --git a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb index ffd3b48e8..0e92add63 100644 --- a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb +++ b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb
@@ -12,6 +12,7 @@ SRC_URI = "http://ftp.linux.org.uk/pub/linux/Networking/netkit/${BP}.tar.gz \
12	file://cross-compile.patch \	12	file://cross-compile.patch \
13	file://0001-telnet-telnetd-Fix-print-format-strings.patch \	13	file://0001-telnet-telnetd-Fix-print-format-strings.patch \
14	file://0001-telnet-telnetd-Fix-deadlock-on-cleanup.patch \	14	file://0001-telnet-telnetd-Fix-deadlock-on-cleanup.patch \
		15	file://CVE-2020-10188.patch \
15	"	16	"
16		17
17	UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/"	18	UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/"