diff options
| author | Vijay Anusuri <vanusuri@mvista.com> | 2026-03-18 13:39:10 +0530 |
|---|---|---|
| committer | Paul Barker <paul@pbarker.dev> | 2026-03-25 17:34:13 +0000 |
| commit | ba6c5d806925318b86beae2ae1ebd609101ade3b (patch) | |
| tree | a881538c2e1a4454f9517d043def5c67b8fdf53a /meta | |
| parent | 5cc40d3e64a8c0c79e7492a738858224474fd416 (diff) | |
| download | poky-ba6c5d806925318b86beae2ae1ebd609101ade3b.tar.gz | |
inetutils: Fix CVE-2026-32746
Pick patch according to [1]
[1] https://security-tracker.debian.org/tracker/CVE-2026-32746
[2] https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00031.html
[3] https://codeberg.org/inetutils/inetutils/pulls/17/files
(From OE-Core rev: 53a3cdf7b55b76ec64a314f5fafced4a803ac12f)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch | 40 | ||||
| -rw-r--r-- | meta/recipes-connectivity/inetutils/inetutils_2.5.bb | 1 |
2 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch new file mode 100644 index 0000000000..0e55f3f0a4 --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch | |||
| @@ -0,0 +1,40 @@ | |||
| 1 | From 6864598a29b652a6b69a958f5cd1318aa2b258af Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Collin Funk <collin.funk1@gmail.com> | ||
| 3 | Date: Wed, 11 Mar 2026 23:06:46 -0700 | ||
| 4 | Subject: [PATCH] telnetd: fix stack buffer overflow processing SLC suboption triplets | ||
| 5 | |||
| 6 | Previously a client could write past the end of an internal buffer using | ||
| 7 | an SLC suboption with many triplets using function octets greater than | ||
| 8 | 18, possibly leading to remote code execution. Reported by Adiel Sol, | ||
| 9 | Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel at DREAM | ||
| 10 | Security Research Team at: | ||
| 11 | <https://lists.gnu.org/r/bug-inetutils/2026-03/msg00031.html>. | ||
| 12 | |||
| 13 | * telnetd/slc.c (add_slc): Return early if writing the tuple would lead | ||
| 14 | us to writing past the end of the buffer. | ||
| 15 | * NEWS.md: Mention the fix. | ||
| 16 | |||
| 17 | Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=6864598a29b652a6b69a958f5cd1318aa2b258af] | ||
| 18 | CVE: CVE-2026-32746 | ||
| 19 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 20 | --- | ||
| 21 | telnetd/slc.c | 3 +++ | ||
| 22 | 1 file changed, 3 insertions(+) | ||
| 23 | |||
| 24 | diff --git a/telnetd/slc.c b/telnetd/slc.c | ||
| 25 | index b3cc117..9d6bad1 100644 | ||
| 26 | --- a/telnetd/slc.c | ||
| 27 | +++ b/telnetd/slc.c | ||
| 28 | @@ -162,6 +162,9 @@ get_slc_defaults (void) | ||
| 29 | void | ||
| 30 | add_slc (register char func, register char flag, register cc_t val) | ||
| 31 | { | ||
| 32 | + /* Do nothing if the entire triplet cannot fit in the buffer. */ | ||
| 33 | + if (slcbuf + sizeof slcbuf - slcptr <= 6) | ||
| 34 | + return; | ||
| 35 | |||
| 36 | if ((*slcptr++ = (unsigned char) func) == 0xff) | ||
| 37 | *slcptr++ = 0xff; | ||
| 38 | -- | ||
| 39 | 2.43.0 | ||
| 40 | |||
diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.5.bb b/meta/recipes-connectivity/inetutils/inetutils_2.5.bb index 6c53902356..29ff62379d 100644 --- a/meta/recipes-connectivity/inetutils/inetutils_2.5.bb +++ b/meta/recipes-connectivity/inetutils/inetutils_2.5.bb | |||
| @@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \ | |||
| 21 | file://CVE-2026-24061-1.patch \ | 21 | file://CVE-2026-24061-1.patch \ |
| 22 | file://CVE-2026-24061-2.patch \ | 22 | file://CVE-2026-24061-2.patch \ |
| 23 | file://CVE-2026-28372.patch \ | 23 | file://CVE-2026-28372.patch \ |
| 24 | file://CVE-2026-32746.patch \ | ||
| 24 | " | 25 | " |
| 25 | 26 | ||
| 26 | inherit autotools gettext update-alternatives texinfo | 27 | inherit autotools gettext update-alternatives texinfo |
