Thank you for review. How did you build with TN3270 support? Does anyone know of anyone building with -DTN3270? I tried ./configure CFLAGS=-DTN3270 and it doesn't build for me. Does it build on any reasonable platform?
One approach here is to remove everything within '#ifdef TN3270' if this
code is unmaintained, not working, and comes with security concerns.
Would anyone mis the TN3270 functionality? Is there any way we can test
the functionality to gain confidence in it?
Making all in telnet
make[2]: Entering directory '/home/jas/src/inetutils/telnet'
CC commands.o
commands.c: In function 'bye':
commands.c:1658:7: error: implicit declaration of function 'SetIn3270'
[-Wimplicit-function-declaration]
1658 | SetIn3270 (); /* Get out of 3270 mode */
| ^~~~~~~~~
commands.c: In function 'status':
commands.c:2414:30: error: too many arguments to function 'getpgrp'
2414 | getpid (), getpgrp (getpid ()));
| ^~~~~~~
In file included from ../lib/unistd.h:40,
from /usr/include/x86_64-linux-gnu/bits/sigstksz.h:24,
from /usr/include/signal.h:328,
from ../lib/signal.h:52,
from /usr/include/x86_64-linux-gnu/sys/param.h:28,
from commands.c:51:
/usr/include/unistd.h:656:16: note: declared here
656 | extern __pid_t getpgrp (void) __THROW;
| ^~~~~~~
make[2]: *** [Makefile:2643: commands.o] Error 1
/Simon
Veper X <[email protected]> writes:
> Dear GNU Inetutils Maintainers,
>
> I would like to report a stack-based buffer overflow vulnerability identified
> in the `telnet` client source code, specifically within the TN3270
> emulation support.
>
> **Vulnerability Details:**
>
> - **File:** `telnet/tn3270.c`
> - **Function:** `settranscom(int argc, char *argv[])`
> - **Line:** 448 (in recent git master)
>
> **Description:**
> The function `settranscom` copies command-line arguments into a global static
> buffer `tline` which has a fixed size of 200 bytes. The copy
> is performed using `strcpy` and `strcat` without checking the length of the
> source strings (`argv` elements).
>
> ```c
> /* telnet/tn3270.c */
> char tline[200];
> ...
> int settranscom (int argc, char *argv[])
> {
> ...
> transcom = tline;
> strcpy (transcom, argv[1]); /* VULNERABLE: Unbounded copy */
> for (i = 2; i < argc; ++i)
> {
> strcat (transcom, " ");
> strcat (transcom, argv[i]); /* VULNERABLE: Unbounded concatenation */
> }
> return 1;
> }
> ```
>
> **Impact:**
> If `inetutils` is compiled with TN3270 support enabled (via `#define
> TN3270`), an attacker or local user can crash the application or
> potentially achieve code execution by supplying an overly long argument to
> the `transcom` command (or whichever mechanism invokes
> `settranscom`).
>
> While we observed that TN3270 support appears to be disabled by default in
> standard builds, the vulnerable code remains in the
> codebase and poses a risk to anyone enabling this feature.
>
> **Recommendation:**
> We suggest replacing `strcpy` / `strcat` with safer alternatives like
> `snprintf` to ensure the data does not exceed the bounds of `tline` (200
> bytes).
>
> Thank you for your time and maintenance of GNU Inetutils.
>
> Best regards,
> Peikai Li
>
signature.asc
Description: PGP signature
