https://aur.archlinux.org/packages/inetutils-git/
2017-02-21 18:50 Mats Erik Andersson o telnetd: Debugging of line mode options. 9db2d39777f8d37496265fc732e640a2ea0c9a29 This new code is causing a buffer overflow. I can immediately see that char data[6] doesn't include space for the trailing \0. I tried boosting to "char data[1000]" and that stopped the overflow but then it output junk characters in place of the OS greeting. Fortunately something shovels the backtrace through the telnet connection before terminating. % telnet 192.168.50.25 Trying 192.168.50.25... Connected to 192.168.50.25. Escape character is '^]'. *** buffer overflow detected ***: /usr/bin/telnetd terminated ======= Backtrace: ========= /usr/lib/libc.so.6(+0x722ab)[0x7f2bfc5e92ab] /usr/lib/libc.so.6(__fortify_fail+0x37)[0x7f2bfc674407] /usr/lib/libc.so.6(+0xfb330)[0x7f2bfc672330] /usr/lib/libc.so.6(+0xfa819)[0x7f2bfc671819] /usr/lib/libc.so.6(_IO_vfprintf+0x2a70)[0x7f2bfc5c2280] /usr/lib/libc.so.6(__vsprintf_chk+0x9f)[0x7f2bfc6718bf] /usr/lib/libc.so.6(__sprintf_chk+0x8a)[0x7f2bfc6717ea] /usr/bin/telnetd(clientstat+0x10e)[0x40b2de] /usr/bin/telnetd(telrcv+0x197)[0x40a6b7] /usr/bin/telnetd(io_drain+0xef)[0x4078df] /usr/bin/telnetd(getterminaltype+0x75)[0x407a35] /usr/bin/telnetd[0x405d25] /usr/bin/telnetd(main+0x88)[0x404ed8] /usr/lib/libc.so.6(__libc_start_main+0xf1)[0x7f2bfc597511] /usr/bin/telnetd(_start+0x2a)[0x404f2a]
