Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package telnet for openSUSE:Factory checked
in at 2022-10-22 14:12:39
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/telnet (Old)
and /work/SRC/openSUSE:Factory/.telnet.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "telnet"
Sat Oct 22 14:12:39 2022 rev:33 rq:1030433 version:1.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/telnet/telnet.changes 2021-12-18
20:29:23.930214315 +0100
+++ /work/SRC/openSUSE:Factory/.telnet.new.2275/telnet.changes 2022-10-22
14:13:13.632757929 +0200
@@ -1,0 +2,7 @@
+Fri Oct 21 14:47:08 UTC 2022 - Danilo Spinella <danilo.spine...@suse.com>
+
+- Fix CVE-2022-39028, NULL pointer dereference in telnetd
+ (CVE-2022-39028, bsc#1203759)
+ CVE-2022-39028.patch
+
+-------------------------------------------------------------------
New:
----
CVE-2022-39028.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ telnet.spec ++++++
--- /var/tmp/diff_new_pack.f4526y/_old 2022-10-22 14:13:14.476759929 +0200
+++ /var/tmp/diff_new_pack.f4526y/_new 2022-10-22 14:13:14.480759939 +0200
@@ -1,7 +1,7 @@
#
# spec file for package telnet
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -34,6 +34,9 @@
Patch4: telnet-bsd-1.2-hostalias.patch
#PATCH-FIX-UPSTREAM bnc#898481 kstreit...@suse.com -- fix the infinite loop
consumes an entire CPU
Patch5: telnet-bsd-1.2-fix-infinite-loop.patch
+# PATCH-FIX-SECURITY bsc#1203759 danilo.spine...@suse.com CVE-2022-39028
+# NULL pointer dereference in telnetd
+Patch6: CVE-2022-39028.patch
BuildRequires: ncurses-devel
BuildRequires: systemd-rpm-macros
Provides: nkitb:%{_bindir}/telnet
@@ -68,6 +71,7 @@
%patch3
%patch4 -p1
%patch5 -p1
+%patch6 -p1
%build
export CFLAGS="%{optflags} -fpie $(ncurses6-config --cflags)"
++++++ CVE-2022-39028.patch ++++++
Description: Fix remote DoS vulnerability in inetutils-telnetd
This is caused by a crash by a NULL pointer dereference when sending the
byte sequences ??0xff 0xf7?? or ??0xff 0xf8??.
Authors:
Pierre Kim (original patch),
Alexandre Torres (original patch),
Erik Auerswald <auers...@unix-ag.uni-kl.de> (adapted patch),
Reviewed-by: Erik Auerswald <auers...@unix-ag.uni-kl.de>
Origin: upstream
Ref:
https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
Forwarded:
https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html
Last-Update: 2022-08-28
diff --git a/telnetd/state.c b/telnetd/state.c
index ffc6cbaf..c2d760f8 100644
--- a/telnetd/state.c
+++ b/telnetd/state.c
@@ -185,16 +185,22 @@ telrcv (void)
case EC:
case EL:
{
- cc_t ch;
+ cc_t ch = (cc_t) (_POSIX_VDISABLE);
DIAG(TD_OPTIONS,
printoption("td: recv IAC", c));
ptyflush(); /* half-hearted */
init_termbuf();
if (c == EC)
- ch = *slctab[SLC_EC].sptr;
+ {
+ if (slctab[SLC_EC].sptr)
+ ch = *slctab[SLC_EC].sptr;
+ }
else
- ch = *slctab[SLC_EL].sptr;
+ {
+ if (slctab[SLC_EL].sptr)
+ ch = *slctab[SLC_EL].sptr;
+ }
if (ch != (cc_t)(_POSIX_VDISABLE))
*pfrontp++ = (unsigned char)ch;
break;
