Dear GNU Inetutils Maintainers, I would like to report a stack-based buffer overflow
vulnerability identified in the `telnet` client source code, specifically within the TN3270
emulation support. **Vulnerability Details:** - **File:** `telnet/tn3270.c` - **Function:**
`settranscom(int argc, char *argv[])` - **Line:** 448 (in recent git master)
**Description:** The function `settranscom` copies command-line arguments into a global
static buffer `tline` which has a fixed size of 200 bytes. The copy is performed using
`strcpy` and `strcat` without checking the length of the source strings (`argv` elements).
```c /* telnet/tn3270.c */ char tline[200]; ... int settranscom (int argc, char *argv[]) {
... transcom = tline; strcpy (transcom, argv[1]); /* VULNERABLE: Unbounded copy */ for (i =
2; i < argc; ++i) { strcat (transcom, " "); strcat (transcom, argv[i]); /*
VULNERABLE: Unbounded concatenation */ } return 1; } ``` **Impact:** If `inetutils` is
compiled with TN3270 support enabled (via `#define TN3270`), an attacker or local user can
crash the application or potentially achieve code execution by supplying an overly long
argument to the `transcom` command (or whichever mechanism invokes `settranscom`). While we
observed that TN3270 support appears to be disabled by default in standard builds, the
vulnerable code remains in the codebase and poses a risk to anyone enabling this feature.
**Recommendation:** We suggest replacing `strcpy` / `strcat` with safer alternatives like
`snprintf` to ensure the data does not exceed the bounds of `tline` (200 bytes). Thank you
for your time and maintenance of GNU Inetutils. Best regards, Peikai Li
