diff options
author | Minjae Kim <flowergom@gmail.com> | 2022-09-26 23:33:08 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-09-30 16:34:52 +0100 |
commit | 243a95b193ad01d375adc6950bf5beb50ef617cc (patch) | |
tree | 0cfb9dacc19ce460ca98611c6c67cb8b58febb2f | |
parent | d7194226b19e45251e80cc3c02f62849ec63f8b0 (diff) | |
download | poky-243a95b193ad01d375adc6950bf5beb50ef617cc.tar.gz |
inetutils: CVE-2022-39028 - fix remote DoS vulnerability in inetutils-telnetd
Fix telnetd crash if the first two bytes of a new connection
are 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL).
CVE: CVE-2022-39028
(From OE-Core rev: 1c385e70d4bfab2334361ba82f29988bb11d6902)
Signed-off-by:Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch | 54 | ||||
-rw-r--r-- | meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb | 1 |
2 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch new file mode 100644 index 0000000000..da2da8da8a --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | From eaae65aac967f9628787dca4a2501ca860bb6598 Mon Sep 17 00:00:00 2001 | ||
2 | From: Minjae Kim <flowergom@gmail.com> | ||
3 | Date: Mon, 26 Sep 2022 22:05:07 +0200 | ||
4 | Subject: [PATCH] telnetd: Handle early IAC EC or IAC EL receipt | ||
5 | |||
6 | Fix telnetd crash if the first two bytes of a new connection | ||
7 | are 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL). | ||
8 | |||
9 | The problem was reported in: | ||
10 | <https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html>. | ||
11 | |||
12 | * NEWS: Mention fix. | ||
13 | * telnetd/state.c (telrcv): Handle zero slctab[SLC_EC].sptr and | ||
14 | zero slctab[SLC_EL].sptr. | ||
15 | |||
16 | CVE: CVE-2022-39028 | ||
17 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=fae8263e467380483c28513c0e5fac143e46f94f] | ||
18 | Signed-off-by: Minjae Kim<flowergom@gmail.com> | ||
19 | --- | ||
20 | telnetd/state.c | 12 +++++++++--- | ||
21 | 1 file changed, 9 insertions(+), 3 deletions(-) | ||
22 | |||
23 | diff --git a/telnetd/state.c b/telnetd/state.c | ||
24 | index 2184bca..7948503 100644 | ||
25 | --- a/telnetd/state.c | ||
26 | +++ b/telnetd/state.c | ||
27 | @@ -314,15 +314,21 @@ telrcv (void) | ||
28 | case EC: | ||
29 | case EL: | ||
30 | { | ||
31 | - cc_t ch; | ||
32 | + cc_t ch = (cc_t) (_POSIX_VDISABLE); | ||
33 | |||
34 | DEBUG (debug_options, 1, printoption ("td: recv IAC", c)); | ||
35 | ptyflush (); /* half-hearted */ | ||
36 | init_termbuf (); | ||
37 | if (c == EC) | ||
38 | - ch = *slctab[SLC_EC].sptr; | ||
39 | + { | ||
40 | + if (slctab[SLC_EC].sptr) | ||
41 | + ch = *slctab[SLC_EC].sptr; | ||
42 | + } | ||
43 | else | ||
44 | - ch = *slctab[SLC_EL].sptr; | ||
45 | + { | ||
46 | + if (slctab[SLC_EL].sptr) | ||
47 | + ch = *slctab[SLC_EL].sptr; | ||
48 | + } | ||
49 | if (ch != (cc_t) (_POSIX_VDISABLE)) | ||
50 | pty_output_byte ((unsigned char) ch); | ||
51 | break; | ||
52 | -- | ||
53 | 2.25.1 | ||
54 | |||
diff --git a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb b/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb index f4450e19f4..fe391b8bce 100644 --- a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb +++ b/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb | |||
@@ -24,6 +24,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.gz \ | |||
24 | file://0001-rcp-fix-to-work-with-large-files.patch \ | 24 | file://0001-rcp-fix-to-work-with-large-files.patch \ |
25 | file://fix-buffer-fortify-tfpt.patch \ | 25 | file://fix-buffer-fortify-tfpt.patch \ |
26 | file://CVE-2021-40491.patch \ | 26 | file://CVE-2021-40491.patch \ |
27 | file://CVE-2022-39028.patch \ | ||
27 | " | 28 | " |
28 | 29 | ||
29 | SRC_URI[md5sum] = "04852c26c47cc8c6b825f2b74f191f52" | 30 | SRC_URI[md5sum] = "04852c26c47cc8c6b825f2b74f191f52" |