netkit-telnet: Fix CVE-2022-39028

References: https://nvd.nist.gov/vuln/detail/CVE-2022-39028 https://security-tracker.debian.org/tracker/CVE-2022-39028 Upstream Patch: https://cgit.freebsd.org/src/commit/?id=6914ffef4e23 - Patch is adopted from FreeBSD, as same vulnerability of telnetd is applicable to FreeBSD and netkit-telnet packages. Signed-off-by: Sanjay Chitroda <sanjay.chitroda@einfochips.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Sanjay Chitroda <sanjay.chitroda@einfochips.com> 2023-09-22 04:17:25 -0700
committer: Khem Raj <raj.khem@gmail.com> 2023-09-22 07:36:16 -0700
commit: d629fe71e4242fc0557f5668d9f223777eb60a0f (patch)
tree: 06bbdaf2a798e0dbfcbb52c37515b2e3a4e8663d
parent: 0ad3c587362383a7a4509e519647ec66656b1580 (diff)
download: meta-openembedded-d629fe71e4242fc0557f5668d9f223777eb60a0f.tar.gz
2 files changed, 54 insertions, 0 deletions
diff --git a/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch b/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch
new file mode 100644
index 0000000000..e8c3f1d84b
--- /dev/null
+++ b/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch
@@ -0,0 +1,53 @@
+From 4133a888aa256312186962ab70d4a36eed5920c1 Mon Sep 17 00:00:00 2001
+From: Brooks Davis <brooks@FreeBSD.org>
+Date: Mon, 26 Sep 2022 18:56:51 +0100
+Subject: [PATCH] telnetd: fix two-byte input crash
+Move initialization of the slc table earlier so it doesn't get
+accessed before that happens.
+For details on the issue, see:
+https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
+Reviewed by:    cy
+Obtained from:  NetBSD via cy
+Differential Revision:  https://reviews.freebsd.org/D36680
+CVE: CVE-2022-39028
+Upstream-Status: Backport [https://cgit.freebsd.org/src/commit/?id=6914ffef4e23]
+(cherry picked from commit 6914ffef4e2318ca1d0ead28eafb6f06055ce0f8)
+Signed-off-by: Sanjay Chitroda <sanjay.chitroda@einfochips.com>
+---
+ telnetd/telnetd.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+diff --git a/telnetd/telnetd.c b/telnetd/telnetd.c
+index f36f505..efa0fe1 100644
+--- a/telnetd/telnetd.c
+++ b/telnetd/telnetd.c
+@@ -615,6 +615,11 @@ doit(struct sockaddr_in *who)
+        int level;
+        char user_name[256];
+ 
+       /*
+        * Initialize the slc mapping table.
+        */
+       get_slc_defaults();
+
+        /*
+         * Find an available pty to use.
+         */
+@@ -698,11 +703,6 @@ void telnet(int f, int p)
+     char *HE;
+     const char *IM;
+ 
+-    /*
+-     * Initialize the slc mapping table.
+-     */
+-    get_slc_defaults();
+-
+     /*
+      * Do some tests where it is desireable to wait for a response.
+      * Rather than doing them slowly, one at a time, do them all
diff --git a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb
index e28eeae491..d3de038d16 100644
--- a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb
+++ b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb
@@ -16,6 +16,7 @@ SRC_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/netkit-telnet_${PV}.orig.tar.gz
           file://0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch \
           file://0001-utility-Include-time.h-form-time-and-strftime-protot.patch \
           file://0001-Drop-using-register-keyword.patch \
+           file://CVE-2022-39028.patch \
           "
 UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/"
author	Sanjay Chitroda <sanjay.chitroda@einfochips.com>	2023-09-22 04:17:25 -0700
committer	Khem Raj <raj.khem@gmail.com>	2023-09-22 07:36:16 -0700
commit	d629fe71e4242fc0557f5668d9f223777eb60a0f (patch)
tree	06bbdaf2a798e0dbfcbb52c37515b2e3a4e8663d
parent	0ad3c587362383a7a4509e519647ec66656b1580 (diff)
download	meta-openembedded-d629fe71e4242fc0557f5668d9f223777eb60a0f.tar.gz

diff --git a/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch b/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch new file mode 100644 index 0000000000..e8c3f1d84b --- /dev/null +++ b/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch
@@ -0,0 +1,53 @@
		1	From 4133a888aa256312186962ab70d4a36eed5920c1 Mon Sep 17 00:00:00 2001
		2	From: Brooks Davis <brooks@FreeBSD.org>
		3	Date: Mon, 26 Sep 2022 18:56:51 +0100
		4	Subject: [PATCH] telnetd: fix two-byte input crash
		5
		6	Move initialization of the slc table earlier so it doesn't get
		7	accessed before that happens.
		8
		9	For details on the issue, see:
		10	https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
		11
		12	Reviewed by: cy
		13	Obtained from: NetBSD via cy
		14	Differential Revision: https://reviews.freebsd.org/D36680
		15
		16	CVE: CVE-2022-39028
		17	Upstream-Status: Backport [https://cgit.freebsd.org/src/commit/?id=6914ffef4e23]
		18
		19	(cherry picked from commit 6914ffef4e2318ca1d0ead28eafb6f06055ce0f8)
		20	Signed-off-by: Sanjay Chitroda <sanjay.chitroda@einfochips.com>
		21
		22	---
		23	telnetd/telnetd.c \| 10 +++++-----
		24	1 file changed, 5 insertions(+), 5 deletions(-)
		25
		26	diff --git a/telnetd/telnetd.c b/telnetd/telnetd.c
		27	index f36f505..efa0fe1 100644
		28	--- a/telnetd/telnetd.c
		29	+++ b/telnetd/telnetd.c
		30	@@ -615,6 +615,11 @@ doit(struct sockaddr_in *who)
		31	int level;
		32	char user_name[256];
		33
		34	+ /*
		35	+ * Initialize the slc mapping table.
		36	+ */
		37	+ get_slc_defaults();
		38	+
		39	/*
		40	* Find an available pty to use.
		41	*/
		42	@@ -698,11 +703,6 @@ void telnet(int f, int p)
		43	char *HE;
		44	const char *IM;
		45
		46	- /*
		47	- * Initialize the slc mapping table.
		48	- */
		49	- get_slc_defaults();
		50	-
		51	/*
		52	* Do some tests where it is desireable to wait for a response.
		53	* Rather than doing them slowly, one at a time, do them all


diff --git a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb index e28eeae491..d3de038d16 100644 --- a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb +++ b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb
@@ -16,6 +16,7 @@ SRC_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/netkit-telnet_${PV}.orig.tar.gz
16	file://0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch \	16	file://0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch \
17	file://0001-utility-Include-time.h-form-time-and-strftime-protot.patch \	17	file://0001-utility-Include-time.h-form-time-and-strftime-protot.patch \
18	file://0001-Drop-using-register-keyword.patch \	18	file://0001-Drop-using-register-keyword.patch \
		19	file://CVE-2022-39028.patch \
19	"	20	"
20		21
21	UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/"	22	UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/"