Hi! Sorry, I'm updating the request as I found missing stuff while preparing the companion update for buster!
On Tue, 2022-08-30 at 00:37:03 +0200, Guillem Jover wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian....@packages.debian.org > Usertags: pu > X-Debbugs-Cc: t...@security.debian.org > [ Reason ] > > A recent vulnerability (DoS) was reported upstream, for which I > uploaded a fixed package to sid (will migrate tomorrow). There was a > (minor) pending security update missing from bullseye. The security > team (CCed) would prefer to see these handled as normal stable updates. I'm adding a couple of patches to solve lingering buffer overflow issues from #945861 and CVE-2019-0053. > [ Impact ] > > These are both security issues. One against malicious ftp servers > which can end up controlling the client to connect to other hosts, > the other a DoS on the telnetd server which makes it crash with > specific two-byte payloads. The additional patches are buffer overflows. > [ Tests ] > > For the ftp client, there's a test recipe at > <https://lists.gnu.org/archive/html/bug-inetutils/2021-06/msg00002.html>. > > For the telnetd server there's a test recipe at > <https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00003.html> > which amounts to «printf "\xff\xf7" | nc -n -v localhost 23». The two new patches fix the following reproducers: $ DISPLAY=`perl -e 'print Ax"50000"'` telnet -l`perl -e 'print "A"x5000'` localhost and https://raw.githubusercontent.com/hackerhouse-opensource/exploits/master/telnet_term_0day.py > Both test recipes could be reproduced before, and do not work after > the patched version. > [ Risks ] > > The fix for the ftp client has been in sid since 2021-09 with no > reported regressions. > > The fix for telnetd has not yet migrated to testing, but is few lines > long fixing a couple of NULL pointer dereferences. Both new fixes have been part of sid/testing for a while now. > [ Checklist ] > > [√] *all* changes are documented in the d/changelog > [√] I reviewed all changes and I approve them > [√] attach debdiff against the package in (old)stable > [√] the issue is verified as fixed in unstable > > [ Changes ] * telnet: Add checks for option reply parsing limits causing buffer overflow induced crashes due to long option values. Fixes CVE-2019-0053. Closes: #945861 * Add patch from upstream to fix infinite loop causing a stack exhaustion induced crash in telnet client due to malicious server commands. Closes: #945861 > * Fix inetutils-ftp security bug trusting FTP PASV responses. > Fixes CVE-2021-40491. Closes: #993476 > * Fix remote DoS vulnerability in inetutils-telnetd, caused by a crash by > a NULL pointer dereference when sending the byte sequences «0xff 0xf7» > or «0xff 0xf8». Found by Pierre Kim and Alexandre Torres. Patch > adapted by Erik Auerswald <auers...@unix-ag.uni-kl.de>. > [ Other info ] > > None. I'm attaching the refreshed debdiff. Thanks, Guillem
diff -Nru inetutils-2.0/debian/changelog inetutils-2.0/debian/changelog --- inetutils-2.0/debian/changelog 2021-02-05 23:14:20.000000000 +0100 +++ inetutils-2.0/debian/changelog 2022-08-30 13:34:41.000000000 +0200 @@ -1,3 +1,21 @@ +inetutils (2:2.0-1+deb11u1) bullseye; urgency=medium + + * telnet: Add checks for option reply parsing limits causing buffer + overflow induced crashes due to long option values. + Fixes CVE-2019-0053. Closes: #945861 + * Add patch from upstream to fix infinite loop causing a stack exhaustion + induced crash in telnet client due to malicious server commands. + Closes: #945861 + * Fix inetutils-ftp security bug trusting FTP PASV responses. + Fixes CVE-2021-40491. Closes: #993476 + * Fix remote DoS vulnerability in inetutils-telnetd, caused by a crash by + a NULL pointer dereference when sending the byte sequences «0xff 0xf7» + or «0xff 0xf8». Found by Pierre Kim and Alexandre Torres. Patch + adapted by Erik Auerswald <auers...@unix-ag.uni-kl.de>. + Fixes CVE-2022-39028. + + -- Guillem Jover <guil...@debian.org> Tue, 30 Aug 2022 13:34:41 +0200 + inetutils (2:2.0-1) unstable; urgency=medium * New upstream release. diff -Nru inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch --- inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch 1970-01-01 01:00:00.000000000 +0100 +++ inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch 2022-08-30 13:33:33.000000000 +0200 @@ -0,0 +1,59 @@ +From 58cb043b190fd04effdaea7c9403416b436e50dd Mon Sep 17 00:00:00 2001 +From: Simon Josefsson <si...@josefsson.org> +Date: Wed, 1 Sep 2021 09:09:50 +0200 +Subject: [PATCH] ftp: check that PASV/LSPV addresses match. + +* ftp/ftp.c (initconn): Validate returned addresses. +--- + ftp/ftp.c | 21 +++++++++++++++++++++ + 2 files changed, 30 insertions(+) + +diff --git a/ftp/ftp.c b/ftp/ftp.c +index d21dbdd8..7513539d 100644 +--- a/ftp/ftp.c ++++ b/ftp/ftp.c +@@ -1365,6 +1365,13 @@ initconn (void) + uint32_t *pu32 = (uint32_t *) &data_addr_sa4->sin_addr.s_addr; + pu32[0] = htonl ( (h[0] << 24) | (h[1] << 16) | (h[2] << 8) | h[3]); + } ++ if (data_addr_sa4->sin_addr.s_addr ++ != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr) ++ { ++ printf ("Passive mode address mismatch.\n"); ++ (void) command ("ABOR"); /* Cancel any open connection. */ ++ goto bad; ++ } + } /* LPSV IPv4 */ + else /* IPv6 */ + { +@@ -1395,6 +1402,13 @@ initconn (void) + pu32[2] = htonl ( (h[8] << 24) | (h[9] << 16) | (h[10] << 8) | h[11]); + pu32[3] = htonl ( (h[12] << 24) | (h[13] << 16) | (h[14] << 8) | h[15]); + } ++ if (data_addr_sa6->sin6_addr.s6_addr ++ != ((struct sockaddr_in6 *) &hisctladdr)->sin6_addr.s6_addr) ++ { ++ printf ("Passive mode address mismatch.\n"); ++ (void) command ("ABOR"); /* Cancel any open connection. */ ++ goto bad; ++ } + } /* LPSV IPv6 */ + } + else /* !EPSV && !LPSV */ +@@ -1415,6 +1429,13 @@ initconn (void) + | ((a2 & 0xff) << 8) | (a3 & 0xff) ); + data_addr_sa4->sin_port = + htons (((p0 & 0xff) << 8) | (p1 & 0xff)); ++ if (data_addr_sa4->sin_addr.s_addr ++ != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr) ++ { ++ printf ("Passive mode address mismatch.\n"); ++ (void) command ("ABOR"); /* Cancel any open connection. */ ++ goto bad; ++ } + } /* PASV */ + else + { +-- +2.37.2 + diff -Nru inetutils-2.0/debian/patches/0001-telnet-Add-checks-for-option-reply-parsing-limits.patch inetutils-2.0/debian/patches/0001-telnet-Add-checks-for-option-reply-parsing-limits.patch --- inetutils-2.0/debian/patches/0001-telnet-Add-checks-for-option-reply-parsing-limits.patch 1970-01-01 01:00:00.000000000 +0100 +++ inetutils-2.0/debian/patches/0001-telnet-Add-checks-for-option-reply-parsing-limits.patch 2022-08-30 13:31:38.000000000 +0200 @@ -0,0 +1,54 @@ +From 24dcb23ceab395644051a3da37f1cbd00fe80c17 Mon Sep 17 00:00:00 2001 +From: Guillem Jover <guil...@hadrons.org> +Date: Fri, 3 Sep 2021 03:58:13 +0200 +Subject: [PATCH] telnet: Add checks for option reply parsing limits + +This fixes buffer overflows caused by for example: + + telnet -l`perl -e 'print "A"x5000'` localhost + +Taken from FreeBSD. +--- + telnet/telnet.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/telnet/telnet.c ++++ b/telnet/telnet.c +@@ -1678,8 +1678,8 @@ env_opt (register unsigned char *buf, re + } + } + +-#define OPT_REPLY_SIZE 256 +-unsigned char *opt_reply; ++#define OPT_REPLY_SIZE (2 * SUBBUFSIZE) ++unsigned char *opt_reply = NULL; + unsigned char *opt_replyp; + unsigned char *opt_replyend; + +@@ -1762,6 +1762,8 @@ env_opt_add (register unsigned char *ep) + { + while ((c = *ep++)) + { ++ if (opt_replyp + (2 + 2) > opt_replyend) ++ return; + switch (c & 0xff) + { + case IAC: +@@ -1778,6 +1780,8 @@ env_opt_add (register unsigned char *ep) + } + if ((ep = vp)) + { ++ if (opt_replyp + (1 + 2 + 2) > opt_replyend) ++ return; + #ifdef OLD_ENVIRON + if (telopt_environ == TELOPT_OLD_ENVIRON) + *opt_replyp++ = old_env_value; +@@ -1808,6 +1812,8 @@ env_opt_end (register int emptyok) + { + register int len; + ++ if (opt_replyp + 2 > opt_replyend) ++ return; + len = opt_replyp - opt_reply + 2; + if (emptyok || len > 6) + { diff -Nru inetutils-2.0/debian/patches/0001-telnet-Don-t-infloop-for-malicious-server.patch inetutils-2.0/debian/patches/0001-telnet-Don-t-infloop-for-malicious-server.patch --- inetutils-2.0/debian/patches/0001-telnet-Don-t-infloop-for-malicious-server.patch 1970-01-01 01:00:00.000000000 +0100 +++ inetutils-2.0/debian/patches/0001-telnet-Don-t-infloop-for-malicious-server.patch 2022-08-30 13:33:02.000000000 +0200 @@ -0,0 +1,25 @@ +From 3fcebb9b38b8b01e528d158656af863f98a3c751 Mon Sep 17 00:00:00 2001 +From: Simon Josefsson <si...@josefsson.org> +Date: Fri, 3 Sep 2021 15:59:45 +0200 +Subject: [PATCH] telnet: Don't infloop for malicious server. + +See https://bugs.debian.org/945861 and the tiny patch used by NetBSD: +https://github.com/NetBSD/src/commit/36b8cfb2e28f691beae12da0c207086e1df0c8c4#diff-38b7213f9c6c21245fbeb4fad9520a27239d712a6dd0fea20dd6b77203b5737c + +* telnet/utilities.c (ExitString): Don't call SetForExit(). + +diff --git a/telnet/utilities.c b/telnet/utilities.c +index 85fd4762..08571cd4 100644 +--- a/telnet/utilities.c ++++ b/telnet/utilities.c +@@ -1063,7 +1063,6 @@ Exit (int returnCode) + void + ExitString (char *string, int returnCode) + { +- SetForExit (); + fwrite (string, 1, strlen (string), stderr); + exit (returnCode); + } +-- +2.33.0 + diff -Nru inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch --- inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch 1970-01-01 01:00:00.000000000 +0100 +++ inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch 2022-08-30 13:34:10.000000000 +0200 @@ -0,0 +1,45 @@ +Description: Fix remote DoS vulnerability in inetutils-telnetd + This is caused by a crash by a NULL pointer dereference when sending the + byte sequences «0xff 0xf7» or «0xff 0xf8». +Authors: + Pierre Kim (original patch), + Alexandre Torres (original patch), + Erik Auerswald <auers...@unix-ag.uni-kl.de> (adapted patch), +Reviewed-by: Erik Auerswald <auers...@unix-ag.uni-kl.de> +Origin: upstream +Ref: https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html +Forwarded: https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html +Last-Update: 2022-08-28 + + +--- + telnetd/state.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/telnetd/state.c ++++ b/telnetd/state.c +@@ -315,15 +315,21 @@ telrcv (void) + case EC: + case EL: + { +- cc_t ch; ++ cc_t ch = (cc_t) (_POSIX_VDISABLE); + + DEBUG (debug_options, 1, printoption ("td: recv IAC", c)); + ptyflush (); /* half-hearted */ + init_termbuf (); + if (c == EC) +- ch = *slctab[SLC_EC].sptr; ++ { ++ if (slctab[SLC_EC].sptr) ++ ch = *slctab[SLC_EC].sptr; ++ } + else +- ch = *slctab[SLC_EL].sptr; ++ { ++ if (slctab[SLC_EL].sptr) ++ ch = *slctab[SLC_EL].sptr; ++ } + if (ch != (cc_t) (_POSIX_VDISABLE)) + pty_output_byte ((unsigned char) ch); + break; diff -Nru inetutils-2.0/debian/patches/series inetutils-2.0/debian/patches/series --- inetutils-2.0/debian/patches/series 2021-01-30 01:26:45.000000000 +0100 +++ inetutils-2.0/debian/patches/series 2022-08-30 13:34:10.000000000 +0200 @@ -1,3 +1,8 @@ # Local patches 0001-inetd-Change-protocol-semantics-in-inetd.conf.patch 0002-build-Disable-GFDL-info-files-and-useless-man-pages.patch +0001-telnet-Add-checks-for-option-reply-parsing-limits.patch +# Upstream git +0001-telnet-Don-t-infloop-for-malicious-server.patch +0001-ftp-check-that-PASV-LSPV-addresses-match.patch +inetutils-telnetd-EC_EL_null_deref.patch