Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: t...@security.debian.org
Hi!
[ Reason ]
A recent vulnerability (DoS) was reported upstream, for which I
uploaded a fixed package to sid (will migrate tomorrow). There was a
(minor) pending security update missing from bullseye. The security
team (CCed) would prefer to see these handled as normal stable updates.
[ Impact ]
These are both security issues. One against malicious ftp servers
which can end up controlling the client to connect to other hosts,
the other a DoS on the telnetd server which makes it crash with
specific two-byte payloads.
[ Tests ]
For the ftp client, there's a test recipe at
<https://lists.gnu.org/archive/html/bug-inetutils/2021-06/msg00002.html>.
For the telnetd server there's a test recipe at
<https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00003.html>
which amounts to «printf "\xff\xf7" | nc -n -v localhost 23».
Both test recipes could be reproduced before, and do not work after
the patched version.
[ Risks ]
The fix for the ftp client has been in sid since 2021-09 with no
reported regressions.
The fix for telnetd has not yet migrated to testing, but is few lines
long fixing a couple of NULL pointer dereferences.
[ Checklist ]
[√] *all* changes are documented in the d/changelog
[√] I reviewed all changes and I approve them
[√] attach debdiff against the package in (old)stable
[√] the issue is verified as fixed in unstable
[ Changes ]
* Fix inetutils-ftp security bug trusting FTP PASV responses.
Fixes CVE-2021-40491. Closes: #993476
* Fix remote DoS vulnerability in inetutils-telnetd, caused by a crash by
a NULL pointer dereference when sending the byte sequences «0xff 0xf7»
or «0xff 0xf8». Found by Pierre Kim and Alexandre Torres. Patch
adapted by Erik Auerswald <auers...@unix-ag.uni-kl.de>.
[ Other info ]
None.
Thanks.
Guillem
diff -Nru inetutils-2.0/debian/changelog inetutils-2.0/debian/changelog
--- inetutils-2.0/debian/changelog 2021-02-05 23:14:20.000000000 +0100
+++ inetutils-2.0/debian/changelog 2022-08-28 16:01:41.000000000 +0200
@@ -1,3 +1,14 @@
+inetutils (2:2.0-1+deb11u1) bullseye; urgency=medium
+
+ * Fix inetutils-ftp security bug trusting FTP PASV responses.
+ Fixes CVE-2021-40491. Closes: #993476
+ * Fix remote DoS vulnerability in inetutils-telnetd, caused by a crash by
+ a NULL pointer dereference when sending the byte sequences «0xff 0xf7»
+ or «0xff 0xf8». Found by Pierre Kim and Alexandre Torres. Patch
+ adapted by Erik Auerswald <auers...@unix-ag.uni-kl.de>.
+
+ -- Guillem Jover <guil...@debian.org> Sun, 28 Aug 2022 16:01:41 +0200
+
inetutils (2:2.0-1) unstable; urgency=medium
* New upstream release.
diff -Nru
inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch
inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch
---
inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch
1970-01-01 01:00:00.000000000 +0100
+++
inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch
2022-08-28 16:01:41.000000000 +0200
@@ -0,0 +1,59 @@
+From 58cb043b190fd04effdaea7c9403416b436e50dd Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <si...@josefsson.org>
+Date: Wed, 1 Sep 2021 09:09:50 +0200
+Subject: [PATCH] ftp: check that PASV/LSPV addresses match.
+
+* ftp/ftp.c (initconn): Validate returned addresses.
+---
+ ftp/ftp.c | 21 +++++++++++++++++++++
+ 2 files changed, 30 insertions(+)
+
+diff --git a/ftp/ftp.c b/ftp/ftp.c
+index d21dbdd8..7513539d 100644
+--- a/ftp/ftp.c
++++ b/ftp/ftp.c
+@@ -1365,6 +1365,13 @@ initconn (void)
+ uint32_t *pu32 = (uint32_t *) &data_addr_sa4->sin_addr.s_addr;
+ pu32[0] = htonl ( (h[0] << 24) | (h[1] << 16) | (h[2] << 8) |
h[3]);
+ }
++ if (data_addr_sa4->sin_addr.s_addr
++ != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
++ {
++ printf ("Passive mode address mismatch.\n");
++ (void) command ("ABOR"); /* Cancel any open connection.
*/
++ goto bad;
++ }
+ } /* LPSV IPv4 */
+ else /* IPv6 */
+ {
+@@ -1395,6 +1402,13 @@ initconn (void)
+ pu32[2] = htonl ( (h[8] << 24) | (h[9] << 16) | (h[10] << 8)
| h[11]);
+ pu32[3] = htonl ( (h[12] << 24) | (h[13] << 16) | (h[14] <<
8) | h[15]);
+ }
++ if (data_addr_sa6->sin6_addr.s6_addr
++ != ((struct sockaddr_in6 *) &hisctladdr)->sin6_addr.s6_addr)
++ {
++ printf ("Passive mode address mismatch.\n");
++ (void) command ("ABOR"); /* Cancel any open connection.
*/
++ goto bad;
++ }
+ } /* LPSV IPv6 */
+ }
+ else /* !EPSV && !LPSV */
+@@ -1415,6 +1429,13 @@ initconn (void)
+ | ((a2 & 0xff) << 8) | (a3 & 0xff) );
+ data_addr_sa4->sin_port =
+ htons (((p0 & 0xff) << 8) | (p1 & 0xff));
++ if (data_addr_sa4->sin_addr.s_addr
++ != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
++ {
++ printf ("Passive mode address mismatch.\n");
++ (void) command ("ABOR"); /* Cancel any open connection.
*/
++ goto bad;
++ }
+ } /* PASV */
+ else
+ {
+--
+2.37.2
+
diff -Nru inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch
inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch
--- inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch
1970-01-01 01:00:00.000000000 +0100
+++ inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch
2022-08-28 16:01:41.000000000 +0200
@@ -0,0 +1,45 @@
+Description: Fix remote DoS vulnerability in inetutils-telnetd
+ This is caused by a crash by a NULL pointer dereference when sending the
+ byte sequences «0xff 0xf7» or «0xff 0xf8».
+Authors:
+ Pierre Kim (original patch),
+ Alexandre Torres (original patch),
+ Erik Auerswald <auers...@unix-ag.uni-kl.de> (adapted patch),
+Reviewed-by: Erik Auerswald <auers...@unix-ag.uni-kl.de>
+Origin: upstream
+Ref:
https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
+Forwarded:
https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html
+Last-Update: 2022-08-28
+
+
+---
+ telnetd/state.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/telnetd/state.c
++++ b/telnetd/state.c
+@@ -315,15 +315,21 @@ telrcv (void)
+ case EC:
+ case EL:
+ {
+- cc_t ch;
++ cc_t ch = (cc_t) (_POSIX_VDISABLE);
+
+ DEBUG (debug_options, 1, printoption ("td: recv IAC", c));
+ ptyflush (); /* half-hearted */
+ init_termbuf ();
+ if (c == EC)
+- ch = *slctab[SLC_EC].sptr;
++ {
++ if (slctab[SLC_EC].sptr)
++ ch = *slctab[SLC_EC].sptr;
++ }
+ else
+- ch = *slctab[SLC_EL].sptr;
++ {
++ if (slctab[SLC_EL].sptr)
++ ch = *slctab[SLC_EL].sptr;
++ }
+ if (ch != (cc_t) (_POSIX_VDISABLE))
+ pty_output_byte ((unsigned char) ch);
+ break;
diff -Nru inetutils-2.0/debian/patches/series
inetutils-2.0/debian/patches/series
--- inetutils-2.0/debian/patches/series 2021-01-30 01:26:45.000000000 +0100
+++ inetutils-2.0/debian/patches/series 2022-08-28 16:00:38.000000000 +0200
@@ -1,3 +1,6 @@
# Local patches
0001-inetd-Change-protocol-semantics-in-inetd.conf.patch
0002-build-Disable-GFDL-info-files-and-useless-man-pages.patch
+# Upstream patches
+0001-ftp-check-that-PASV-LSPV-addresses-match.patch
+inetutils-telnetd-EC_EL_null_deref.patch
