summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorVijay Anusuri <vanusuri@mvista.com>2026-03-18 13:39:10 +0530
committerPaul Barker <paul@pbarker.dev>2026-03-25 17:34:13 +0000
commitba6c5d806925318b86beae2ae1ebd609101ade3b (patch)
treea881538c2e1a4454f9517d043def5c67b8fdf53a /meta
parent5cc40d3e64a8c0c79e7492a738858224474fd416 (diff)
downloadpoky-ba6c5d806925318b86beae2ae1ebd609101ade3b.tar.gz
inetutils: Fix CVE-2026-32746
Pick patch according to [1] [1] https://security-tracker.debian.org/tracker/CVE-2026-32746 [2] https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00031.html [3] https://codeberg.org/inetutils/inetutils/pulls/17/files (From OE-Core rev: 53a3cdf7b55b76ec64a314f5fafced4a803ac12f) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch40
-rw-r--r--meta/recipes-connectivity/inetutils/inetutils_2.5.bb1
2 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch
new file mode 100644
index 0000000000..0e55f3f0a4
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch
@@ -0,0 +1,40 @@
1From 6864598a29b652a6b69a958f5cd1318aa2b258af Mon Sep 17 00:00:00 2001
2From: Collin Funk <collin.funk1@gmail.com>
3Date: Wed, 11 Mar 2026 23:06:46 -0700
4Subject: [PATCH] telnetd: fix stack buffer overflow processing SLC suboption triplets
5
6Previously a client could write past the end of an internal buffer using
7an SLC suboption with many triplets using function octets greater than
818, possibly leading to remote code execution. Reported by Adiel Sol,
9Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel at DREAM
10Security Research Team at:
11<https://lists.gnu.org/r/bug-inetutils/2026-03/msg00031.html>.
12
13* telnetd/slc.c (add_slc): Return early if writing the tuple would lead
14us to writing past the end of the buffer.
15* NEWS.md: Mention the fix.
16
17Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=6864598a29b652a6b69a958f5cd1318aa2b258af]
18CVE: CVE-2026-32746
19Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
20---
21 telnetd/slc.c | 3 +++
22 1 file changed, 3 insertions(+)
23
24diff --git a/telnetd/slc.c b/telnetd/slc.c
25index b3cc117..9d6bad1 100644
26--- a/telnetd/slc.c
27+++ b/telnetd/slc.c
28@@ -162,6 +162,9 @@ get_slc_defaults (void)
29 void
30 add_slc (register char func, register char flag, register cc_t val)
31 {
32+ /* Do nothing if the entire triplet cannot fit in the buffer. */
33+ if (slcbuf + sizeof slcbuf - slcptr <= 6)
34+ return;
35
36 if ((*slcptr++ = (unsigned char) func) == 0xff)
37 *slcptr++ = 0xff;
38--
392.43.0
40
diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.5.bb b/meta/recipes-connectivity/inetutils/inetutils_2.5.bb
index 6c53902356..29ff62379d 100644
--- a/meta/recipes-connectivity/inetutils/inetutils_2.5.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_2.5.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
21 file://CVE-2026-24061-1.patch \ 21 file://CVE-2026-24061-1.patch \
22 file://CVE-2026-24061-2.patch \ 22 file://CVE-2026-24061-2.patch \
23 file://CVE-2026-28372.patch \ 23 file://CVE-2026-28372.patch \
24 file://CVE-2026-32746.patch \
24 " 25 "
25 26
26inherit autotools gettext update-alternatives texinfo 27inherit autotools gettext update-alternatives texinfo
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-04-22 09:19:33 +0000