!16 [sync] PR-12: fix CVE-2022-39028

From: @openeuler-sync-bot Reviewed-by: @sunsuwan Signed-off-by: @sunsuwan
fix CVE-2022-39028
2024-04-01 11:10:58 +00:00 · 2024-04-01 16:09:51 +08:00 · 2020-12-16 14:48:41 +08:00 · 2020-12-15 20:47:21 +08:00 · 2020-11-23 16:39:46 +08:00 · 2020-11-23 14:47:14 +08:00
4 changed files with 178 additions and 4 deletions
--- a/CVE-2020-10188.patch
+++ b/CVE-2020-10188.patch
@ -0,0 +1,97 @@
+diff --git a/telnetd/utility.c b/telnetd/utility.c
+index 82edee5..514ec19 100644
+--- a/telnetd/utility.c
+++ b/telnetd/utility.c
+@@ -219,31 +219,38 @@ void 	ptyflush(void)
+  */
+ static
+ char *
+-nextitem(char *current)
+nextitem(char *current, const char *endp)
+ {
+    if (current >= endp) {
+        return NULL;
+    }
+     if ((*current&0xff) != IAC) {
+ 	return current+1;
+     }
+    if (current+1 >= endp) {
+        return NULL;
+    }
+     switch (*(current+1)&0xff) {
+     case DO:
+     case DONT:
+     case WILL:
+     case WONT:
+-	return current+3;
+	return current+3 <= endp ? current+3 : NULL;
+     case SB:		/* loop forever looking for the SE */
+ 	{
+ 	    register char *look = current+2;
+ 
+-	    for (;;) {
+	    while (look < endp) {
+ 		if ((*look++&0xff) == IAC) {
+-		    if ((*look++&0xff) == SE) {
+		    if (look < endp && (*look++&0xff) == SE) {
+ 			return look;
+ 		    }
+ 		}
+ 	    }
+	    return NULL;
+ 	}
+     default:
+-	return current+2;
+	return current+2 <= endp ? current+2 : NULL;
+     }
+ }  /* end of nextitem */
+ 
+@@ -269,7 +276,7 @@ void netclear(void)
+     register char *thisitem, *next;
+     char *good;
+ #define	wewant(p)	((nfrontp > p) && ((*p&0xff) == IAC) && \
+-				((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
+				(nfrontp > p+1 && (((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))))
+ 
+ #if	defined(ENCRYPT)
+     thisitem = nclearto > netobuf ? nclearto : netobuf;
+@@ -277,7 +284,7 @@ void netclear(void)
+     thisitem = netobuf;
+ #endif
+ 
+-    while ((next = nextitem(thisitem)) <= nbackp) {
+    while ((next = nextitem(thisitem, nbackp)) != NULL && next <= nbackp) {
+ 	thisitem = next;
+     }
+ 
+@@ -289,20 +296,23 @@ void netclear(void)
+     good = netobuf;	/* where the good bytes go */
+ #endif
+ 
+-    while (nfrontp > thisitem) {
+    while (thisitem != NULL && nfrontp > thisitem) {
+ 	if (wewant(thisitem)) {
+ 	    int length;
+ 
+ 	    next = thisitem;
+ 	    do {
+-		next = nextitem(next);
+-	    } while (wewant(next) && (nfrontp > next));
+		next = nextitem(next, nfrontp);
+	    } while (next != NULL && wewant(next) && (nfrontp > next));
+	    if (next == NULL) {
+		next = nfrontp;
+	    }
+ 	    length = next-thisitem;
+ 	    bcopy(thisitem, good, length);
+ 	    good += length;
+ 	    thisitem = next;
+ 	} else {
+-	    thisitem = nextitem(thisitem);
+	    thisitem = nextitem(thisitem, nfrontp);
+ 	}
+     }
+ 
+-- 
+1.8.3.1
+
--- a/backport-CVE-2022-39028.patch
+++ b/backport-CVE-2022-39028.patch
@ -0,0 +1,48 @@
+Description: Fix remote DoS vulnerability in inetutils-telnetd
+ This is caused by a crash by a NULL pointer dereference when sending the
+ byte sequences «0xff 0xf7» or «0xff 0xf8».
+Authors:
+ Pierre Kim (original patch),
+ Alexandre Torres (original patch),
+ Erik Auerswald <auerswal@unix-ag.uni-kl.de> (adapted patch),
+Reviewed-by: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
+Origin: upstream
+Ref: https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
+Forwarded: https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html
+Last-Update: 2022-08-28
+
+---
+ telnetd/state.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/telnetd/state.c b/telnetd/state.c
+index 0dc61a2..befc9d0 100644
+--- a/telnetd/state.c
+++ b/telnetd/state.c
+@@ -206,12 +206,20 @@ void telrcv(void) {
+ 	      case EC:
+ 	      case EL:
+ 		 {
+-		     cc_t ch;
+		     cc_t ch = (cc_t) (_POSIX_VDISABLE);
+ 		     DIAG(TD_OPTIONS, printoption("td: recv IAC", c));
+ 		     ptyflush();	/* half-hearted */
+ 		     init_termbuf();
+-		     if (c == EC) ch = *slctab[SLC_EC].sptr;
+-		     else ch = *slctab[SLC_EL].sptr;
+		     if (c == EC) 
+		     {
+		         if (slctab[SLC_EC].sptr)
+				ch = *slctab[SLC_EC].sptr;
+		     }
+		     else
+		     {
+		         if (slctab[SLC_EL].sptr)
+				ch = *slctab[SLC_EL].sptr;
+		     }
+ 		     if (ch != (cc_t)(_POSIX_VDISABLE))
+ 			 *pfrontp++ = (unsigned char)ch;
+ 		     break;
+-- 
+2.33.0
+
--- a/telnet.spec
+++ b/telnet.spec
@ -1,17 +1,15 @@
 Name:             telnet
 Epoch:            1
 Version:          0.17
-Release:          75
+Release:          79
 Summary:          Client and Server programs for the Telnet communication protocol
 License:          BSD
 Url:              http://web.archive.org/web/20070819111735/www.hcs.harvard.edu/~dholland/computers/old-netkit.html
-Source0:          ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/netkit-telnet-%{version}.tar.gz
-#sources form fedora/redhat
+Source0:          https://ftp.linux.org.uk/pub/linux/Networking/netkit/netkit-telnet-0.17.tar.gz
 Source1:          telnet-client.tar.gz
 Source2:          telnet@.service
 Source3:          telnet.socket

-#patches from fedora/redhat repositories
 Patch0001:        telnet-client-cvs.patch
 Patch0002:        telnetd-0.17.diff
 Patch0003:        telnet-0.17-env.patch
@ -38,6 +36,8 @@ Patch0023:        netkit-telnet-0.17-core-dump.patch
 Patch0024:        netkit-telnet-0.17-gcc7.patch
 Patch0025:        netkit-telnet-0.17-manpage.patch
 Patch0026:        netkit-telnet-0.17-telnetrc.patch
+Patch0027:        CVE-2020-10188.patch
+Patch0028:        backport-CVE-2022-39028.patch

 BuildRequires:    gcc-c++ ncurses-devel systemd
 Requires:         systemd
@ -101,5 +101,29 @@ install -pm644 %{SOURCE3} %{buildroot}%{_unitdir}/telnet.socket
 %{_mandir}/man1/telnet.1*

 %changelog
+* Mon Apr 01 2024 gaihuiying <eaglegai@163.com> - 1:0.17-79
+- Type:cves
+- CVE:CVE-2022-39028
+- SUG:NA
+- DESC:fix CVE-2022-39028
+
+* Tue Dec 15 2020 xihaochen <xihaochen@huawei.com> - 1:0.17-78
+- Type:requirement
+- ID:NA
+- SUG:NA
+- DESC:remove sensitive words 
+
+* Fri Sep 11 2020 lunankun <lunankun@huawei.com> - 1:0.17-77
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix source0 url
+
+* Mon Apr 27 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:0.17-76
+- Type:cves
+- ID:CVE-2020-10188
+- SUG:restart
+- DESC:fix CVE-2020-10188
+
 * Sat Sep 14 2019 huzhiyu<huzhiyu1@huawei.com> - 1:0.17-75
 - Package init
--- a/telnet.yaml
+++ b/telnet.yaml
@ -0,0 +1,5 @@
+version_control: NA
+src_repo:
+tag_prefix:
+separator:
+url: https://ftp.linux.org.uk/pub/linux/Networking/netkit
Author	SHA1	Message	Date
openeuler-ci-bot	83ec5ddd96	!16 [sync] PR-12: fix CVE-2022-39028 From: @openeuler-sync-bot Reviewed-by: @sunsuwan Signed-off-by: @sunsuwan	2024-04-01 11:10:58 +00:00
eaglegai	0039c343f1	fix CVE-2022-39028 (cherry picked from commit 69c6354b51d516919cfb3887e75af553428b5bdd)	2024-04-01 16:09:51 +08:00
openeuler-ci-bot	8d3d71d597	!6 remove the fedora, redhat keywords and update source url From: @haochenstar Reviewed-by: @zengwefeng Signed-off-by: @zengwefeng	2020-12-16 14:48:41 +08:00
haochenstar	b4a78b3148	remove fedora, redhat keyword and update source url	2020-12-15 20:47:21 +08:00
openeuler-ci-bot	216739b7c3	!5 add yaml file From: @haochenstar Reviewed-by: @zengwefeng Signed-off-by: @zengwefeng	2020-11-23 16:39:46 +08:00
haochenstar	b15f00ac4c	add yaml	2020-11-23 14:47:14 +08:00
openeuler-ci-bot	6844b18e5a	!3 fix source0 url From: @lunankun Reviewed-by: @wangxp006 Signed-off-by: @wangxp006	2020-09-15 17:25:45 +08:00
lunankun	bbfc111e07	fix source0 url	2020-09-11 15:13:07 +08:00
openeuler-ci-bot	2d248d52ba	!1 fix CVE-2020-10188 Merge pull request !1 from Vchanger/master	2020-05-06 17:04:31 +08:00
Vchanger	7286d8a876	telnet: fix CVE-2020-10188	2020-04-27 17:36:24 +08:00