Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: t...@security.debian.org
Hi! [ Reason ] A recent vulnerability (DoS) was reported upstream, for which I uploaded a fixed package to sid (will migrate tomorrow). There was a (minor) pending security update missing from bullseye. The security team (CCed) would prefer to see these handled as normal stable updates. [ Impact ] These are both security issues. One against malicious ftp servers which can end up controlling the client to connect to other hosts, the other a DoS on the telnetd server which makes it crash with specific two-byte payloads. [ Tests ] For the ftp client, there's a test recipe at <https://lists.gnu.org/archive/html/bug-inetutils/2021-06/msg00002.html>. For the telnetd server there's a test recipe at <https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00003.html> which amounts to «printf "\xff\xf7" | nc -n -v localhost 23». Both test recipes could be reproduced before, and do not work after the patched version. [ Risks ] The fix for the ftp client has been in sid since 2021-09 with no reported regressions. The fix for telnetd has not yet migrated to testing, but is few lines long fixing a couple of NULL pointer dereferences. [ Checklist ] [√] *all* changes are documented in the d/changelog [√] I reviewed all changes and I approve them [√] attach debdiff against the package in (old)stable [√] the issue is verified as fixed in unstable [ Changes ] * Fix inetutils-ftp security bug trusting FTP PASV responses. Fixes CVE-2021-40491. Closes: #993476 * Fix remote DoS vulnerability in inetutils-telnetd, caused by a crash by a NULL pointer dereference when sending the byte sequences «0xff 0xf7» or «0xff 0xf8». Found by Pierre Kim and Alexandre Torres. Patch adapted by Erik Auerswald <auers...@unix-ag.uni-kl.de>. [ Other info ] None. Thanks. Guillem
diff -Nru inetutils-2.0/debian/changelog inetutils-2.0/debian/changelog --- inetutils-2.0/debian/changelog 2021-02-05 23:14:20.000000000 +0100 +++ inetutils-2.0/debian/changelog 2022-08-28 16:01:41.000000000 +0200 @@ -1,3 +1,14 @@ +inetutils (2:2.0-1+deb11u1) bullseye; urgency=medium + + * Fix inetutils-ftp security bug trusting FTP PASV responses. + Fixes CVE-2021-40491. Closes: #993476 + * Fix remote DoS vulnerability in inetutils-telnetd, caused by a crash by + a NULL pointer dereference when sending the byte sequences «0xff 0xf7» + or «0xff 0xf8». Found by Pierre Kim and Alexandre Torres. Patch + adapted by Erik Auerswald <auers...@unix-ag.uni-kl.de>. + + -- Guillem Jover <guil...@debian.org> Sun, 28 Aug 2022 16:01:41 +0200 + inetutils (2:2.0-1) unstable; urgency=medium * New upstream release. diff -Nru inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch --- inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch 1970-01-01 01:00:00.000000000 +0100 +++ inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch 2022-08-28 16:01:41.000000000 +0200 @@ -0,0 +1,59 @@ +From 58cb043b190fd04effdaea7c9403416b436e50dd Mon Sep 17 00:00:00 2001 +From: Simon Josefsson <si...@josefsson.org> +Date: Wed, 1 Sep 2021 09:09:50 +0200 +Subject: [PATCH] ftp: check that PASV/LSPV addresses match. + +* ftp/ftp.c (initconn): Validate returned addresses. +--- + ftp/ftp.c | 21 +++++++++++++++++++++ + 2 files changed, 30 insertions(+) + +diff --git a/ftp/ftp.c b/ftp/ftp.c +index d21dbdd8..7513539d 100644 +--- a/ftp/ftp.c ++++ b/ftp/ftp.c +@@ -1365,6 +1365,13 @@ initconn (void) + uint32_t *pu32 = (uint32_t *) &data_addr_sa4->sin_addr.s_addr; + pu32[0] = htonl ( (h[0] << 24) | (h[1] << 16) | (h[2] << 8) | h[3]); + } ++ if (data_addr_sa4->sin_addr.s_addr ++ != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr) ++ { ++ printf ("Passive mode address mismatch.\n"); ++ (void) command ("ABOR"); /* Cancel any open connection. */ ++ goto bad; ++ } + } /* LPSV IPv4 */ + else /* IPv6 */ + { +@@ -1395,6 +1402,13 @@ initconn (void) + pu32[2] = htonl ( (h[8] << 24) | (h[9] << 16) | (h[10] << 8) | h[11]); + pu32[3] = htonl ( (h[12] << 24) | (h[13] << 16) | (h[14] << 8) | h[15]); + } ++ if (data_addr_sa6->sin6_addr.s6_addr ++ != ((struct sockaddr_in6 *) &hisctladdr)->sin6_addr.s6_addr) ++ { ++ printf ("Passive mode address mismatch.\n"); ++ (void) command ("ABOR"); /* Cancel any open connection. */ ++ goto bad; ++ } + } /* LPSV IPv6 */ + } + else /* !EPSV && !LPSV */ +@@ -1415,6 +1429,13 @@ initconn (void) + | ((a2 & 0xff) << 8) | (a3 & 0xff) ); + data_addr_sa4->sin_port = + htons (((p0 & 0xff) << 8) | (p1 & 0xff)); ++ if (data_addr_sa4->sin_addr.s_addr ++ != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr) ++ { ++ printf ("Passive mode address mismatch.\n"); ++ (void) command ("ABOR"); /* Cancel any open connection. */ ++ goto bad; ++ } + } /* PASV */ + else + { +-- +2.37.2 + diff -Nru inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch --- inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch 1970-01-01 01:00:00.000000000 +0100 +++ inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch 2022-08-28 16:01:41.000000000 +0200 @@ -0,0 +1,45 @@ +Description: Fix remote DoS vulnerability in inetutils-telnetd + This is caused by a crash by a NULL pointer dereference when sending the + byte sequences «0xff 0xf7» or «0xff 0xf8». +Authors: + Pierre Kim (original patch), + Alexandre Torres (original patch), + Erik Auerswald <auers...@unix-ag.uni-kl.de> (adapted patch), +Reviewed-by: Erik Auerswald <auers...@unix-ag.uni-kl.de> +Origin: upstream +Ref: https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html +Forwarded: https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html +Last-Update: 2022-08-28 + + +--- + telnetd/state.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/telnetd/state.c ++++ b/telnetd/state.c +@@ -315,15 +315,21 @@ telrcv (void) + case EC: + case EL: + { +- cc_t ch; ++ cc_t ch = (cc_t) (_POSIX_VDISABLE); + + DEBUG (debug_options, 1, printoption ("td: recv IAC", c)); + ptyflush (); /* half-hearted */ + init_termbuf (); + if (c == EC) +- ch = *slctab[SLC_EC].sptr; ++ { ++ if (slctab[SLC_EC].sptr) ++ ch = *slctab[SLC_EC].sptr; ++ } + else +- ch = *slctab[SLC_EL].sptr; ++ { ++ if (slctab[SLC_EL].sptr) ++ ch = *slctab[SLC_EL].sptr; ++ } + if (ch != (cc_t) (_POSIX_VDISABLE)) + pty_output_byte ((unsigned char) ch); + break; diff -Nru inetutils-2.0/debian/patches/series inetutils-2.0/debian/patches/series --- inetutils-2.0/debian/patches/series 2021-01-30 01:26:45.000000000 +0100 +++ inetutils-2.0/debian/patches/series 2022-08-28 16:00:38.000000000 +0200 @@ -1,3 +1,6 @@ # Local patches 0001-inetd-Change-protocol-semantics-in-inetd.conf.patch 0002-build-Disable-GFDL-info-files-and-useless-man-pages.patch +# Upstream patches +0001-ftp-check-that-PASV-LSPV-addresses-match.patch +inetutils-telnetd-EC_EL_null_deref.patch