Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: t...@security.debian.org

Hi!

This is the counterpart to #1018744 but for buster.

[ Reason ]

This fixes three pending security issue, that the security team (CCed)
would prefer to see handled as normal oldstable updates.

(This is the same set of changes as the bullseye version, plus a couple
of patches from upstream for CVE-2019-0053, that are missing in that
version.)

[ Impact ]

All changes are security related, mostly buffer overflows, that can at
least cause crashes and DoS.

[ Tests ]

The same tests as the ones for bullseye in #1018744 were used here and
the issues could be reproduced before, and not any more after the
patched version.

[ Risks ]

Same risks as the version for bullseye.

[ Checklist ]

  [√] *all* changes are documented in the d/changelog
  [√] I reviewed all changes and I approve them
  [√] attach debdiff against the package in (old)stable
  [√] the issue is verified as fixed in unstable

[ Changes ]

  * Security fixes for telnet client:
    - Validate supplied environment variables.
    - Check for buffer overflows when processing telnet protocol messages.
    - Add checks for option reply parsing limits causing buffer
      overflow induced crashes due to long option values.
    - Fix infinite loop causing a stack exhaustion induced crash due to
      malicious server commands.
    Fixes CVE-2019-0053. Closes: #945861
  * Fix inetutils-ftp security bug trusting FTP PASV responses.
    Fixes CVE-2021-40491. Closes: #993476
  * Fix remote DoS vulnerability in inetutils-telnetd, caused by a crash by
    a NULL pointer dereference when sending the byte sequences «0xff 0xf7»
    or «0xff 0xf8». Found by Pierre Kim and Alexandre Torres. Patch
    adapted by Erik Auerswald <auers...@unix-ag.uni-kl.de>.
    Fixes CVE-2022-39028.

[ Other info ]

None.

Thanks,
Guillem
diff -Nru inetutils-1.9.4/debian/changelog inetutils-1.9.4/debian/changelog
--- inetutils-1.9.4/debian/changelog    2020-09-18 20:06:42.000000000 +0200
+++ inetutils-1.9.4/debian/changelog    2022-08-31 00:58:35.000000000 +0200
@@ -1,3 +1,23 @@
+inetutils (2:1.9.4-7+deb10u2) buster; urgency=medium
+
+  * Security fixes for telnet client:
+    - Validate supplied environment variables.
+    - Check for buffer overflows when processing telnet protocol messages.
+    - Add checks for option reply parsing limits causing buffer
+      overflow induced crashes due to long option values.
+    - Fix infinite loop causing a stack exhaustion induced crash due to
+      malicious server commands.
+    Fixes CVE-2019-0053. Closes: #945861
+  * Fix inetutils-ftp security bug trusting FTP PASV responses.
+    Fixes CVE-2021-40491. Closes: #993476
+  * Fix remote DoS vulnerability in inetutils-telnetd, caused by a crash by
+    a NULL pointer dereference when sending the byte sequences «0xff 0xf7»
+    or «0xff 0xf8». Found by Pierre Kim and Alexandre Torres. Patch
+    adapted by Erik Auerswald <auers...@unix-ag.uni-kl.de>.
+    Fixes CVE-2022-39028.
+
+ -- Guillem Jover <guil...@debian.org>  Wed, 31 Aug 2022 00:58:35 +0200
+
 inetutils (2:1.9.4-7+deb10u1) buster; urgency=medium
 
   * CVE-2020-10188 (Closes: #956084)
diff -Nru 
inetutils-1.9.4/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch
 
inetutils-1.9.4/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch
--- 
inetutils-1.9.4/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch
  1970-01-01 01:00:00.000000000 +0100
+++ 
inetutils-1.9.4/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch
  2022-08-31 00:58:35.000000000 +0200
@@ -0,0 +1,54 @@
+From 58cb043b190fd04effdaea7c9403416b436e50dd Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <si...@josefsson.org>
+Date: Wed, 1 Sep 2021 09:09:50 +0200
+Subject: [PATCH] ftp: check that PASV/LSPV addresses match.
+
+* ftp/ftp.c (initconn): Validate returned addresses.
+---
+ ftp/ftp.c |   21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/ftp/ftp.c
++++ b/ftp/ftp.c
+@@ -1357,6 +1357,13 @@ initconn (void)
+                 uint32_t *pu32 = (uint32_t *) &data_addr_sa4->sin_addr.s_addr;
+                 pu32[0] = htonl ( (h[0] << 24) | (h[1] << 16) | (h[2] << 8) | 
h[3]);
+               }
++              if (data_addr_sa4->sin_addr.s_addr
++                  != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
++                {
++                  printf ("Passive mode address mismatch.\n");
++                  (void) command ("ABOR");    /* Cancel any open connection.  
*/
++                  goto bad;
++                }
+           } /* LPSV IPv4 */
+         else /* IPv6 */
+           {
+@@ -1387,6 +1394,13 @@ initconn (void)
+                 pu32[2] = htonl ( (h[8] << 24) | (h[9] << 16) | (h[10] << 8) 
| h[11]);
+                 pu32[3] = htonl ( (h[12] << 24) | (h[13] << 16) | (h[14] << 
8) | h[15]);
+               }
++              if (data_addr_sa6->sin6_addr.s6_addr
++                  != ((struct sockaddr_in6 *) &hisctladdr)->sin6_addr.s6_addr)
++                {
++                  printf ("Passive mode address mismatch.\n");
++                  (void) command ("ABOR");    /* Cancel any open connection.  
*/
++                  goto bad;
++                }
+           } /* LPSV IPv6 */
+       }
+       else /* !EPSV && !LPSV */
+@@ -1407,6 +1421,13 @@ initconn (void)
+                        | ((a2 & 0xff) << 8) | (a3 & 0xff) );
+             data_addr_sa4->sin_port =
+                 htons (((p0 & 0xff) << 8) | (p1 & 0xff));
++            if (data_addr_sa4->sin_addr.s_addr
++                != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
++              {
++                printf ("Passive mode address mismatch.\n");
++                (void) command ("ABOR");      /* Cancel any open connection.  
*/
++                goto bad;
++              }
+           } /* PASV */
+         else
+           {
diff -Nru 
inetutils-1.9.4/debian/patches/0001-telnet-Add-checks-for-option-reply-parsing-limits.patch
 
inetutils-1.9.4/debian/patches/0001-telnet-Add-checks-for-option-reply-parsing-limits.patch
--- 
inetutils-1.9.4/debian/patches/0001-telnet-Add-checks-for-option-reply-parsing-limits.patch
 1970-01-01 01:00:00.000000000 +0100
+++ 
inetutils-1.9.4/debian/patches/0001-telnet-Add-checks-for-option-reply-parsing-limits.patch
 2022-08-31 00:56:52.000000000 +0200
@@ -0,0 +1,54 @@
+From 24dcb23ceab395644051a3da37f1cbd00fe80c17 Mon Sep 17 00:00:00 2001
+From: Guillem Jover <guil...@hadrons.org>
+Date: Fri, 3 Sep 2021 03:58:13 +0200
+Subject: [PATCH] telnet: Add checks for option reply parsing limits
+
+This fixes buffer overflows caused by for example:
+
+  telnet -l`perl -e 'print "A"x5000'` localhost
+
+Taken from FreeBSD.
+---
+ telnet/telnet.c |   10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/telnet/telnet.c
++++ b/telnet/telnet.c
+@@ -1675,8 +1675,8 @@ env_opt (register unsigned char *buf, re
+     }
+ }
+ 
+-#define OPT_REPLY_SIZE        256
+-unsigned char *opt_reply;
++#define OPT_REPLY_SIZE        (2 * SUBBUFSIZE)
++unsigned char *opt_reply = NULL;
+ unsigned char *opt_replyp;
+ unsigned char *opt_replyend;
+ 
+@@ -1759,6 +1759,8 @@ env_opt_add (register unsigned char *ep)
+     {
+       while ((c = *ep++))
+       {
++        if (opt_replyp + (2 + 2) > opt_replyend)
++          return;
+         switch (c & 0xff)
+           {
+           case IAC:
+@@ -1775,6 +1777,8 @@ env_opt_add (register unsigned char *ep)
+       }
+       if ((ep = vp))
+       {
++        if (opt_replyp + (1 + 2 + 2) > opt_replyend)
++          return;
+ #ifdef        OLD_ENVIRON
+         if (telopt_environ == TELOPT_OLD_ENVIRON)
+           *opt_replyp++ = old_env_value;
+@@ -1805,6 +1809,8 @@ env_opt_end (register int emptyok)
+ {
+   register int len;
+ 
++  if (opt_replyp + 2 > opt_replyend)
++    return;
+   len = opt_replyp - opt_reply + 2;
+   if (emptyok || len > 6)
+     {
diff -Nru 
inetutils-1.9.4/debian/patches/0001-telnet-Don-t-infloop-for-malicious-server.patch
 
inetutils-1.9.4/debian/patches/0001-telnet-Don-t-infloop-for-malicious-server.patch
--- 
inetutils-1.9.4/debian/patches/0001-telnet-Don-t-infloop-for-malicious-server.patch
 1970-01-01 01:00:00.000000000 +0100
+++ 
inetutils-1.9.4/debian/patches/0001-telnet-Don-t-infloop-for-malicious-server.patch
 2022-08-31 00:58:35.000000000 +0200
@@ -0,0 +1,24 @@
+From 3fcebb9b38b8b01e528d158656af863f98a3c751 Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <si...@josefsson.org>
+Date: Fri, 3 Sep 2021 15:59:45 +0200
+Subject: [PATCH] telnet: Don't infloop for malicious server.
+
+See https://bugs.debian.org/945861 and the tiny patch used by NetBSD:
+https://github.com/NetBSD/src/commit/36b8cfb2e28f691beae12da0c207086e1df0c8c4#diff-38b7213f9c6c21245fbeb4fad9520a27239d712a6dd0fea20dd6b77203b5737c
+
+* telnet/utilities.c (ExitString): Don't call SetForExit().
+
+---
+ telnet/utilities.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/telnet/utilities.c
++++ b/telnet/utilities.c
+@@ -1062,7 +1062,6 @@ Exit (int returnCode)
+ void
+ ExitString (char *string, int returnCode)
+ {
+-  SetForExit ();
+   fwrite (string, 1, strlen (string), stderr);
+   exit (returnCode);
+ }
diff -Nru 
inetutils-1.9.4/debian/patches/0032-telnet-Validate-supplied-environment-variables.-CVE-.patch
 
inetutils-1.9.4/debian/patches/0032-telnet-Validate-supplied-environment-variables.-CVE-.patch
--- 
inetutils-1.9.4/debian/patches/0032-telnet-Validate-supplied-environment-variables.-CVE-.patch
      1970-01-01 01:00:00.000000000 +0100
+++ 
inetutils-1.9.4/debian/patches/0032-telnet-Validate-supplied-environment-variables.-CVE-.patch
      2022-08-31 00:50:26.000000000 +0200
@@ -0,0 +1,67 @@
+From bacd4ddce3cbb6ac731cad57c56722a94a7685f8 Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <si...@josefsson.org>
+Date: Wed, 1 Jan 2020 15:28:54 +0100
+Subject: [PATCH 32/64] telnet: Validate supplied environment variables.
+ CVE-2019-0053
+
+telnet/telnet.c (suboption): Use snprintf instead of sprintf.
+telnet/utilities.c (printsub): Likewise.
+
+ChangeLog:
+       telnet: Validate supplied environment variables. CVE-2019-0053
+       * telnet/telnet.c (suboption): Use snprintf instead of sprintf.
+       * telnet/utilities.c (printsub): Likewise.
+---
+ ChangeLog          |   6 +++
+ NEWS               | 109 ++++++++++++++++++++++++++++++++++++++++++++-
+ telnet/telnet.c    |   6 +--
+ telnet/utilities.c |   2 +-
+ 4 files changed, 117 insertions(+), 6 deletions(-)
+
+diff --git a/telnet/telnet.c b/telnet/telnet.c
+index 97be8add..6e00513a 100644
+--- a/telnet/telnet.c
++++ b/telnet/telnet.c
+@@ -861,7 +861,7 @@ suboption (void)
+         len = strlen (name) + 4 + 2;
+         if (len < NETROOM ())
+           {
+-            sprintf ((char *) temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
++            snprintf ((char *) temp, sizeof (temp), "%c%c%c%c%s%c%c", IAC, 
SB, TELOPT_TTYPE,
+                      TELQUAL_IS, name, IAC, SE);
+             ring_supply_data (&netoring, temp, len);
+             printsub ('>', &temp[2], len - 2);
+@@ -885,7 +885,7 @@ suboption (void)
+ 
+         TerminalSpeeds (&ispeed, &ospeed);
+ 
+-        sprintf ((char *) temp, "%c%c%c%c%d,%d%c%c", IAC, SB, TELOPT_TSPEED,
++        snprintf ((char *) temp, sizeof (temp), "%c%c%c%c%d,%d%c%c", IAC, SB, 
TELOPT_TSPEED,
+                  TELQUAL_IS, (int) ospeed, (int) ispeed, IAC, SE);
+         len = strlen ((char *) temp + 4) + 4; /* temp[3] is 0 ... */
+ 
+@@ -999,7 +999,7 @@ suboption (void)
+             send_wont (TELOPT_XDISPLOC, 1);
+             break;
+           }
+-        sprintf ((char *) temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_XDISPLOC,
++        snprintf ((char *) temp, sizeof (temp), "%c%c%c%c%s%c%c", IAC, SB, 
TELOPT_XDISPLOC,
+                  TELQUAL_IS, dp, IAC, SE);
+         len = strlen ((char *) temp + 4) + 4; /* temp[3] is 0 ... */
+ 
+diff --git a/telnet/utilities.c b/telnet/utilities.c
+index 7bd53967..195e90c4 100644
+--- a/telnet/utilities.c
++++ b/telnet/utilities.c
+@@ -732,7 +732,7 @@ printsub (char direction, unsigned char *pointer, int 
length)
+             {
+               char tbuf[64];
+ 
+-              sprintf (tbuf, "%s%s%s%s%s",
++              snprintf (tbuf, sizeof (tbuf), "%s%s%s%s%s",
+                        pointer[2] & MODE_EDIT ? "|EDIT" : "",
+                        pointer[2] & MODE_TRAPSIG ? "|TRAPSIG" : "",
+                        pointer[2] & MODE_SOFT_TAB ? "|SOFT_TAB" : "",
+-- 
+2.28.0.163.g6104cc2f0b6
+
diff -Nru inetutils-1.9.4/debian/patches/0034-More-work-on-CVE-2019-0053.patch 
inetutils-1.9.4/debian/patches/0034-More-work-on-CVE-2019-0053.patch
--- inetutils-1.9.4/debian/patches/0034-More-work-on-CVE-2019-0053.patch        
1970-01-01 01:00:00.000000000 +0100
+++ inetutils-1.9.4/debian/patches/0034-More-work-on-CVE-2019-0053.patch        
2022-08-31 00:54:09.000000000 +0200
@@ -0,0 +1,108 @@
+From d8d95265609ba5be88c72e6af6adbddf31b2bba2 Mon Sep 17 00:00:00 2001
+From: Mats Erik Andersson <g...@gisladisker.se>
+Date: Wed, 29 Jan 2020 21:07:10 +0100
+Subject: [PATCH 34/64] More work on CVE-2019-0053.
+
+Telnet protocol messages must remain sane at all costs, instead of
+being truncated because indata was oversized.  Some additional cases
+of insufficient buffer declaration are corrected.
+
+ChangeLog:
+       More work on CVE-2019-0053.
+       Telnet protocol messages must not be corrupted when buffer
+       overflows are detected, but should be reported as errors.
+
+       * telnet/telnet.c (suboption): Check that prepared protocol
+       message in fact fits in intermediary buffer without truncation.
+       Tweak indentation for visibility of protocol elements in snprintf.
+
+       Insufficiently declared length of string variable.
+
+       * telnetd/utility.c (printsub): Declare TBUF with maximal extent.
+
+[tim.rueh...@gmx.de]:
+ - Fix silent truncation (off-by-one check). If the DISPLAY variable had
+   exactly 44 bytes, the SE byte (end sub negotiation) was silently
+   truncated. ]
+
+---
+ telnet/telnet.c    |   36 ++++++++++++++++++++++++++++--------
+ telnetd/utility.c  |    3 ++-
+ 4 files changed, 36 insertions(+), 15 deletions(-)
+
+--- a/telnet/telnet.c
++++ b/telnet/telnet.c
+@@ -859,10 +859,13 @@ suboption (void)
+ #endif /* defined(TN3270) */
+         name = gettermname ();
+         len = strlen (name) + 4 + 2;
+-        if (len < NETROOM ())
++
++        if ((len < NETROOM ()) && (len < sizeof (temp)))
+           {
+-            snprintf ((char *) temp, sizeof (temp), "%c%c%c%c%s%c%c", IAC, 
SB, TELOPT_TTYPE,
+-                     TELQUAL_IS, name, IAC, SE);
++            snprintf ((char *) temp, sizeof (temp), "%c%c%c%c%s%c%c",
++                      IAC, SB, TELOPT_TTYPE, TELQUAL_IS,
++                      name,
++                      IAC, SE);
+             ring_supply_data (&netoring, temp, len);
+             printsub ('>', &temp[2], len - 2);
+           }
+@@ -880,13 +883,15 @@ suboption (void)
+       if (SB_GET () == TELQUAL_SEND)
+       {
+         long ospeed, ispeed;
+-        unsigned char temp[50];
++        unsigned char temp[50];       /* Two six-digit integers plus 7.  */
+         int len;
+ 
+         TerminalSpeeds (&ispeed, &ospeed);
+ 
+-        snprintf ((char *) temp, sizeof (temp), "%c%c%c%c%d,%d%c%c", IAC, SB, 
TELOPT_TSPEED,
+-                 TELQUAL_IS, (int) ospeed, (int) ispeed, IAC, SE);
++        snprintf ((char *) temp, sizeof (temp), "%c%c%c%c%d,%d%c%c",
++                  IAC, SB, TELOPT_TSPEED, TELQUAL_IS,
++                  (int) ospeed, (int) ispeed,
++                  IAC, SE);
+         len = strlen ((char *) temp + 4) + 4; /* temp[3] is 0 ... */
+ 
+         if (len < NETROOM ())
+@@ -999,8 +1004,23 @@ suboption (void)
+             send_wont (TELOPT_XDISPLOC, 1);
+             break;
+           }
+-        snprintf ((char *) temp, sizeof (temp), "%c%c%c%c%s%c%c", IAC, SB, 
TELOPT_XDISPLOC,
+-                 TELQUAL_IS, dp, IAC, SE);
++
++        /* Remote host, and display server must not be corrupted
++         * by truncation.  In addition, every character of telnet
++         * protocol must remain unsevered.  Check that DP fits in
++         * full within TEMP.  Otherwise report buffer error.
++         */
++        if (strlen ((char *) dp) >= sizeof (temp) - 4 - 2)
++          {
++            printf ("lm_will: not enough room in buffer\n");
++            break;
++          }
++
++        /* Go ahead safely.  */
++        snprintf ((char *) temp, sizeof (temp), "%c%c%c%c%s%c%c",
++                  IAC, SB, TELOPT_XDISPLOC, TELQUAL_IS,
++                  dp,
++                  IAC, SE);
+         len = strlen ((char *) temp + 4) + 4; /* temp[3] is 0 ... */
+ 
+         if (len < NETROOM ())
+--- a/telnetd/utility.c
++++ b/telnetd/utility.c
+@@ -1234,7 +1234,8 @@ printsub (int direction, unsigned char *
+             break;
+           }
+         {
+-          char tbuf[32];
++          char tbuf[sizeof ("|EDIT|TRAPSIG|SOFT_TAB|LIT_ECHO|ACK")];
++
+           snprintf (tbuf, sizeof (tbuf), "%s%s%s%s%s",
+                     pointer[2] & MODE_EDIT ? "|EDIT" : "",
+                     pointer[2] & MODE_TRAPSIG ? "|TRAPSIG" : "",
diff -Nru 
inetutils-1.9.4/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch 
inetutils-1.9.4/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch
--- inetutils-1.9.4/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch     
1970-01-01 01:00:00.000000000 +0100
+++ inetutils-1.9.4/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch     
2022-08-31 00:58:35.000000000 +0200
@@ -0,0 +1,45 @@
+Description: Fix remote DoS vulnerability in inetutils-telnetd
+ This is caused by a crash by a NULL pointer dereference when sending the
+ byte sequences «0xff 0xf7» or «0xff 0xf8».
+Authors:
+ Pierre Kim (original patch),
+ Alexandre Torres (original patch),
+ Erik Auerswald <auers...@unix-ag.uni-kl.de> (adapted patch),
+Reviewed-by: Erik Auerswald <auers...@unix-ag.uni-kl.de>
+Origin: upstream
+Ref: 
https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
+Forwarded: 
https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html
+Last-Update: 2022-08-28
+
+
+---
+ telnetd/state.c |   12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/telnetd/state.c
++++ b/telnetd/state.c
+@@ -314,15 +314,21 @@ telrcv (void)
+           case EC:
+           case EL:
+             {
+-              cc_t ch;
++              cc_t ch = (cc_t) (_POSIX_VDISABLE);
+ 
+               DEBUG (debug_options, 1, printoption ("td: recv IAC", c));
+               ptyflush ();    /* half-hearted */
+               init_termbuf ();
+               if (c == EC)
+-                ch = *slctab[SLC_EC].sptr;
++                {
++                  if (slctab[SLC_EC].sptr)
++                    ch = *slctab[SLC_EC].sptr;
++                }
+               else
+-                ch = *slctab[SLC_EL].sptr;
++                {
++                  if (slctab[SLC_EL].sptr)
++                    ch = *slctab[SLC_EL].sptr;
++                }
+               if (ch != (cc_t) (_POSIX_VDISABLE))
+                 pty_output_byte ((unsigned char) ch);
+               break;
diff -Nru inetutils-1.9.4/debian/patches/series 
inetutils-1.9.4/debian/patches/series
--- inetutils-1.9.4/debian/patches/series       2020-09-18 15:58:34.000000000 
+0200
+++ inetutils-1.9.4/debian/patches/series       2022-08-31 00:58:35.000000000 
+0200
@@ -30,3 +30,10 @@
 0037-src-hostname.c-set_name-Handle-case-when-hostname_ne.patch
 0038-src-hostname.c-parse_file-Free-name-and-allocate-one.patch
 0053-telnetd-Fix-arbitrary-remote-code-execution-via-shor.patch
+# Security update
+0032-telnet-Validate-supplied-environment-variables.-CVE-.patch
+0034-More-work-on-CVE-2019-0053.patch
+0001-telnet-Add-checks-for-option-reply-parsing-limits.patch
+0001-telnet-Don-t-infloop-for-malicious-server.patch
+0001-ftp-check-that-PASV-LSPV-addresses-match.patch
+inetutils-telnetd-EC_EL_null_deref.patch

Reply via email to