Fix off-by-one error in Terminal-Type option subnegotiation if the TERM variable has exactly 44 bytes. In this case the SE byte (end of subnegotiation parameters) was replaced by a NUL byte. This concerns the CVE-2019-0053 fixes. Reported by Erik Auerswald in <https://lists.gnu.org/archive/html/bug-inetutils/2022-02/msg00004.html>.
* NEWS: Mention fix. * telnet/telnet.c (suboption): Adjust length check to account for NUL byte written by snprintf(). --- NEWS | 5 +++++ telnet/telnet.c | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 166ca457..319bb2f9 100644 --- a/NEWS +++ b/NEWS @@ -11,6 +11,11 @@ Abort subnegotiation of X Display Location Option with WON'T when DISPLAY value is too large for buffer. Reported by Joerg Mayer in <https://lists.gnu.org/archive/html/bug-inetutils/2022-01/msg00010.html>. +Fix off-by-one error in Terminal-Type option subnegotiation if the TERM +variable has exactly 44 bytes. This concerns the CVE-2019-0053 fixes. +Reported by Erik Auerswald in +<https://lists.gnu.org/archive/html/bug-inetutils/2022-02/msg00004.html>. + ** Various bugs fixes, internal improvements and clean ups. Further cleanup of configure.ac, updates to modern autoconf releases, diff --git a/telnet/telnet.c b/telnet/telnet.c index 62c79653..d7e0ad8e 100644 --- a/telnet/telnet.c +++ b/telnet/telnet.c @@ -860,7 +860,7 @@ suboption (void) name = gettermname (); len = strlen (name) + 4 + 2; - if ((len < NETROOM ()) && (len <= (int) sizeof (temp))) + if ((len < NETROOM ()) && (len < (int) sizeof (temp))) { snprintf ((char *) temp, sizeof (temp), "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE, TELQUAL_IS, -- In the beginning, there were not enough colors. -- Guy Keren
