packages/telnet
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:83ec5ddd96fe7a6eb02a8723c7b7c205a711ed65
Branches Tags
packages:main
..
compare: packages:211b6c9c339776f2f47899183b4d5765267ac72e
Branches Tags
packages:main

No commits in common. "83ec5ddd96fe7a6eb02a8723c7b7c205a711ed65" and "211b6c9c339776f2f47899183b4d5765267ac72e" have entirely different histories.
83ec5ddd96 ... 211b6c9c33

4 changed files with 4 additions and 178 deletions
Show Stats Expand all files Collapse all files

97
CVE-2020-10188.patch
View File

@ -1,97 +0,0 @@
diff --git a/telnetd/utility.c b/telnetd/utility.c
index 82edee5..514ec19 100644
--- a/telnetd/utility.c
+++ b/telnetd/utility.c
@@ -219,31 +219,38 @@ void ptyflush(void)
*/
static
char *
-nextitem(char *current)
+nextitem(char *current, const char *endp)
{
+ if (current >= endp) {
+ return NULL;
+ }
if ((*current&0xff) != IAC) {
return current+1;
}
+ if (current+1 >= endp) {
+ return NULL;
+ }
switch (*(current+1)&0xff) {
case DO:
case DONT:
case WILL:
case WONT:
- return current+3;
+ return current+3 <= endp ? current+3 : NULL;
case SB: /* loop forever looking for the SE */
{
register char *look = current+2;
- for (;;) {
+ while (look < endp) {
if ((*look++&0xff) == IAC) {
- if ((*look++&0xff) == SE) {
+ if (look < endp && (*look++&0xff) == SE) {
return look;
}
}
}
+ return NULL;
}
default:
- return current+2;
+ return current+2 <= endp ? current+2 : NULL;
}
} /* end of nextitem */
@@ -269,7 +276,7 @@ void netclear(void)
register char *thisitem, *next;
char *good;
#define wewant(p) ((nfrontp > p) && ((*p&0xff) == IAC) && \
- ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
+ (nfrontp > p+1 && (((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))))
#if defined(ENCRYPT)
thisitem = nclearto > netobuf ? nclearto : netobuf;
@@ -277,7 +284,7 @@ void netclear(void)
thisitem = netobuf;
#endif
- while ((next = nextitem(thisitem)) <= nbackp) {
+ while ((next = nextitem(thisitem, nbackp)) != NULL && next <= nbackp) {
thisitem = next;
}
@@ -289,20 +296,23 @@ void netclear(void)
good = netobuf; /* where the good bytes go */
#endif
- while (nfrontp > thisitem) {
+ while (thisitem != NULL && nfrontp > thisitem) {
if (wewant(thisitem)) {
int length;
next = thisitem;
do {
- next = nextitem(next);
- } while (wewant(next) && (nfrontp > next));
+ next = nextitem(next, nfrontp);
+ } while (next != NULL && wewant(next) && (nfrontp > next));
+ if (next == NULL) {
+ next = nfrontp;
+ }
length = next-thisitem;
bcopy(thisitem, good, length);
good += length;
thisitem = next;
} else {
- thisitem = nextitem(thisitem);
+ thisitem = nextitem(thisitem, nfrontp);
}
}
--
1.8.3.1

48
backport-CVE-2022-39028.patch
View File

@ -1,48 +0,0 @@
Description: Fix remote DoS vulnerability in inetutils-telnetd
This is caused by a crash by a NULL pointer dereference when sending the
byte sequences «0xff 0xf7» or «0xff 0xf8».
Authors:
Pierre Kim (original patch),
Alexandre Torres (original patch),
Erik Auerswald <auerswal@unix-ag.uni-kl.de> (adapted patch),
Reviewed-by: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
Origin: upstream
Ref: https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
Forwarded: https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html
Last-Update: 2022-08-28
---
telnetd/state.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/telnetd/state.c b/telnetd/state.c
index 0dc61a2..befc9d0 100644
--- a/telnetd/state.c
+++ b/telnetd/state.c
@@ -206,12 +206,20 @@ void telrcv(void) {
case EC:
case EL:
{
- cc_t ch;
+ cc_t ch = (cc_t) (_POSIX_VDISABLE);
DIAG(TD_OPTIONS, printoption("td: recv IAC", c));
ptyflush(); /* half-hearted */
init_termbuf();
- if (c == EC) ch = *slctab[SLC_EC].sptr;
- else ch = *slctab[SLC_EL].sptr;
+ if (c == EC)
+ {
+ if (slctab[SLC_EC].sptr)
+ ch = *slctab[SLC_EC].sptr;
+ }
+ else
+ {
+ if (slctab[SLC_EL].sptr)
+ ch = *slctab[SLC_EL].sptr;
+ }
if (ch != (cc_t)(_POSIX_VDISABLE))
*pfrontp++ = (unsigned char)ch;
break;
--
2.33.0

32
telnet.spec
View File

@ -1,15 +1,17 @@
Name: telnet
Epoch: 1
Version: 0.17
Release: 79
Release: 75
Summary: Client and Server programs for the Telnet communication protocol
License: BSD
Url: http://web.archive.org/web/20070819111735/www.hcs.harvard.edu/~dholland/computers/old-netkit.html
Source0: https://ftp.linux.org.uk/pub/linux/Networking/netkit/netkit-telnet-0.17.tar.gz
Source0: ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/netkit-telnet-%{version}.tar.gz
#sources form fedora/redhat
Source1: telnet-client.tar.gz
Source2: telnet@.service
Source3: telnet.socket
#patches from fedora/redhat repositories
Patch0001: telnet-client-cvs.patch
Patch0002: telnetd-0.17.diff
Patch0003: telnet-0.17-env.patch
@ -36,8 +38,6 @@ Patch0023: netkit-telnet-0.17-core-dump.patch
Patch0024: netkit-telnet-0.17-gcc7.patch
Patch0025: netkit-telnet-0.17-manpage.patch
Patch0026: netkit-telnet-0.17-telnetrc.patch
Patch0027: CVE-2020-10188.patch
Patch0028: backport-CVE-2022-39028.patch
BuildRequires: gcc-c++ ncurses-devel systemd
Requires: systemd
@ -101,29 +101,5 @@ install -pm644 %{SOURCE3} %{buildroot}%{_unitdir}/telnet.socket
%{_mandir}/man1/telnet.1*
%changelog
* Mon Apr 01 2024 gaihuiying <eaglegai@163.com> - 1:0.17-79
- Type:cves
- CVE:CVE-2022-39028
- SUG:NA
- DESC:fix CVE-2022-39028
* Tue Dec 15 2020 xihaochen <xihaochen@huawei.com> - 1:0.17-78
- Type:requirement
- ID:NA
- SUG:NA
- DESC:remove sensitive words
* Fri Sep 11 2020 lunankun <lunankun@huawei.com> - 1:0.17-77
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:fix source0 url
* Mon Apr 27 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:0.17-76
- Type:cves
- ID:CVE-2020-10188
- SUG:restart
- DESC:fix CVE-2020-10188
* Sat Sep 14 2019 huzhiyu<huzhiyu1@huawei.com> - 1:0.17-75
- Package init

5
telnet.yaml
View File

@ -1,5 +0,0 @@
version_control: NA
src_repo:
tag_prefix:
separator:
url: https://ftp.linux.org.uk/pub/linux/Networking/netkit