Hi! On Tue, 2020-04-07 at 13:41:09 +1000, Paul Szabo wrote: > Package: inetutils-telnetd > Severity: critical > Tags: security > Justification: root security hole
> Looking in https://security-tracker.debian.org/tracker/CVE-2020-10188 : > > utility.c in telnetd in netkit telnet through 0.17 allows remote > attackers to execute arbitrary code via short writes or urgent data, > because of a buffer overflow involving the netclear and nextitem > functions. Thanks for the report! > Seems to me that inetutils contains the same (vulnerable) utility.c > functions. Please check. I've reported this upstream, as I don't think I'll have the immediate time to deal with this myself. I've just skimmed over the original advisory and inetutils code and it seems like the relevant code is there. I've run the PoC exploit and the info leak seems to be valid, but the memory layout is not due to the code differences so there's an assert triggered, but I still think the exploit would otherwise work. The mail has not yet reached the upstream list, I'll update the forwarded control data once that's the case. Thanks, Guillem
