inetutils: CVE-2022-39028 - fix remote DoS vulnerability in inetutils-telnetd

Fix telnetd crash if the first two bytes of a new connection are 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL). CVE: CVE-2022-39028 (From OE-Core rev: 1c385e70d4bfab2334361ba82f29988bb11d6902) Signed-off-by:Minjae Kim <flowergom@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Minjae Kim <flowergom@gmail.com> 2022-09-26 23:33:08 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-09-30 16:34:52 +0100
commit: 243a95b193ad01d375adc6950bf5beb50ef617cc (patch)
tree: 0cfb9dacc19ce460ca98611c6c67cb8b58febb2f
parent: d7194226b19e45251e80cc3c02f62849ec63f8b0 (diff)
download: poky-243a95b193ad01d375adc6950bf5beb50ef617cc.tar.gz
2 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch
new file mode 100644
index 0000000000..da2da8da8a
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch
@@ -0,0 +1,54 @@
+From eaae65aac967f9628787dca4a2501ca860bb6598 Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Mon, 26 Sep 2022 22:05:07 +0200
+Subject: [PATCH] telnetd: Handle early IAC EC or IAC EL receipt
+Fix telnetd crash if the first two bytes of a new connection
+are 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL).
+The problem was reported in:
+<https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html>.
+* NEWS: Mention fix.
+* telnetd/state.c (telrcv): Handle zero slctab[SLC_EC].sptr and
+zero slctab[SLC_EL].sptr.
+CVE: CVE-2022-39028
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=fae8263e467380483c28513c0e5fac143e46f94f]
+Signed-off-by: Minjae Kim<flowergom@gmail.com>
+---
+ telnetd/state.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+diff --git a/telnetd/state.c b/telnetd/state.c
+index 2184bca..7948503 100644
+--- a/telnetd/state.c
+++ b/telnetd/state.c
+@@ -314,15 +314,21 @@ telrcv (void)
+            case EC:
+            case EL:
+              {
+-               cc_t ch;
+               cc_t ch = (cc_t) (_POSIX_VDISABLE);
+ 
+                DEBUG (debug_options, 1, printoption ("td: recv IAC", c));
+                ptyflush ();    /* half-hearted */
+                init_termbuf ();
+                if (c == EC)
+-                 ch = *slctab[SLC_EC].sptr;
+               {
+                 if (slctab[SLC_EC].sptr)
+                   ch = *slctab[SLC_EC].sptr;
+               }
+                else
+-                 ch = *slctab[SLC_EL].sptr;
+               {
+                 if (slctab[SLC_EL].sptr)
+                   ch = *slctab[SLC_EL].sptr;
+               }
+                if (ch != (cc_t) (_POSIX_VDISABLE))
+                  pty_output_byte ((unsigned char) ch);
+                break;
+-- 
+2.25.1
diff --git a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb b/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb
index f4450e19f4..fe391b8bce 100644
--- a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb
@@ -24,6 +24,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.gz \
           file://0001-rcp-fix-to-work-with-large-files.patch \
           file://fix-buffer-fortify-tfpt.patch \
           file://CVE-2021-40491.patch \
+           file://CVE-2022-39028.patch \
 "
 SRC_URI[md5sum] = "04852c26c47cc8c6b825f2b74f191f52"
author	Minjae Kim <flowergom@gmail.com>	2022-09-26 23:33:08 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-09-30 16:34:52 +0100
commit	243a95b193ad01d375adc6950bf5beb50ef617cc (patch)
tree	0cfb9dacc19ce460ca98611c6c67cb8b58febb2f
parent	d7194226b19e45251e80cc3c02f62849ec63f8b0 (diff)
download	poky-243a95b193ad01d375adc6950bf5beb50ef617cc.tar.gz

diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch new file mode 100644 index 0000000000..da2da8da8a --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch
@@ -0,0 +1,54 @@
		1	From eaae65aac967f9628787dca4a2501ca860bb6598 Mon Sep 17 00:00:00 2001
		2	From: Minjae Kim <flowergom@gmail.com>
		3	Date: Mon, 26 Sep 2022 22:05:07 +0200
		4	Subject: [PATCH] telnetd: Handle early IAC EC or IAC EL receipt
		5
		6	Fix telnetd crash if the first two bytes of a new connection
		7	are 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL).
		8
		9	The problem was reported in:
		10	<https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html>.
		11
		12	* NEWS: Mention fix.
		13	* telnetd/state.c (telrcv): Handle zero slctab[SLC_EC].sptr and
		14	zero slctab[SLC_EL].sptr.
		15
		16	CVE: CVE-2022-39028
		17	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=fae8263e467380483c28513c0e5fac143e46f94f]
		18	Signed-off-by: Minjae Kim<flowergom@gmail.com>
		19	---
		20	telnetd/state.c \| 12 +++++++++---
		21	1 file changed, 9 insertions(+), 3 deletions(-)
		22
		23	diff --git a/telnetd/state.c b/telnetd/state.c
		24	index 2184bca..7948503 100644
		25	--- a/telnetd/state.c
		26	+++ b/telnetd/state.c
		27	@@ -314,15 +314,21 @@ telrcv (void)
		28	case EC:
		29	case EL:
		30	{
		31	- cc_t ch;
		32	+ cc_t ch = (cc_t) (_POSIX_VDISABLE);
		33
		34	DEBUG (debug_options, 1, printoption ("td: recv IAC", c));
		35	ptyflush (); /* half-hearted */
		36	init_termbuf ();
		37	if (c == EC)
		38	- ch = *slctab[SLC_EC].sptr;
		39	+ {
		40	+ if (slctab[SLC_EC].sptr)
		41	+ ch = *slctab[SLC_EC].sptr;
		42	+ }
		43	else
		44	- ch = *slctab[SLC_EL].sptr;
		45	+ {
		46	+ if (slctab[SLC_EL].sptr)
		47	+ ch = *slctab[SLC_EL].sptr;
		48	+ }
		49	if (ch != (cc_t) (_POSIX_VDISABLE))
		50	pty_output_byte ((unsigned char) ch);
		51	break;
		52	--
		53	2.25.1
		54


diff --git a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb b/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb index f4450e19f4..fe391b8bce 100644 --- a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb +++ b/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb
@@ -24,6 +24,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.gz \
24	file://0001-rcp-fix-to-work-with-large-files.patch \	24	file://0001-rcp-fix-to-work-with-large-files.patch \
25	file://fix-buffer-fortify-tfpt.patch \	25	file://fix-buffer-fortify-tfpt.patch \
26	file://CVE-2021-40491.patch \	26	file://CVE-2021-40491.patch \
		27	file://CVE-2022-39028.patch \
27	"	28	"
28		29
29	SRC_URI[md5sum] = "04852c26c47cc8c6b825f2b74f191f52"	30	SRC_URI[md5sum] = "04852c26c47cc8c6b825f2b74f191f52"