Your message dated Sat, 26 Sep 2020 11:36:30 +0100
with message-id
<d50ba4de424290cd2840a09ef19950156fcf51ab.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.6 point release
has caused the Debian Bug report #970584,
regarding buster-pu: package inetutils/2:1.9.4-7+deb10u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
970584: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970584
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]
Fix for CVE-2020-10188, which doesn' really warrant a DSA.
(The numbering in debian/patches/series is the following
what's in unstable, the same patch is present there since a few
months already)
Debdiff attached.
Cheers,
Moritz
diff -Nru inetutils-1.9.4/debian/changelog inetutils-1.9.4/debian/changelog
--- inetutils-1.9.4/debian/changelog 2019-02-16 18:09:37.000000000 +0100
+++ inetutils-1.9.4/debian/changelog 2020-09-18 20:06:42.000000000 +0200
@@ -1,3 +1,9 @@
+inetutils (2:1.9.4-7+deb10u1) buster; urgency=medium
+
+ * CVE-2020-10188 (Closes: #956084)
+
+ -- Moritz Mühlenhoff <[email protected]> Fri, 18 Sep 2020 20:06:42 +0200
+
inetutils (2:1.9.4-7) unstable; urgency=medium
* Remove debian/tmp prefix from man pages paths in debhelper fragment files.
diff -Nru
inetutils-1.9.4/debian/patches/0053-telnetd-Fix-arbitrary-remote-code-execution-via-shor.patch
inetutils-1.9.4/debian/patches/0053-telnetd-Fix-arbitrary-remote-code-execution-via-shor.patch
---
inetutils-1.9.4/debian/patches/0053-telnetd-Fix-arbitrary-remote-code-execution-via-shor.patch
1970-01-01 01:00:00.000000000 +0100
+++
inetutils-1.9.4/debian/patches/0053-telnetd-Fix-arbitrary-remote-code-execution-via-shor.patch
2020-09-18 15:58:19.000000000 +0200
@@ -0,0 +1,130 @@
+From 99afdd5ecd787e40f06473304125eee93139031a Mon Sep 17 00:00:00 2001
+From: Michal Ruprich <[email protected]>
+Date: Sun, 12 Apr 2020 22:41:50 +0200
+Subject: [PATCH 53/60] telnetd: Fix arbitrary remote code execution via short
+ writes or urgent data
+
+Fixes: CVE-2020-10188
+Closes: #956084
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10188
+Patch-Origin: Fedora / RedHat
+Patch-URL:
https://src.fedoraproject.org/rpms/telnet/raw/master/f/telnet-0.17-overflow-exploit.patch
+---
+ telnetd/telnetd.h | 2 +-
+ telnetd/utility.c | 35 ++++++++++++++++++++++-------------
+ 2 files changed, 23 insertions(+), 14 deletions(-)
+
+diff --git a/telnetd/telnetd.h b/telnetd/telnetd.h
+index 044025d2..fa970e24 100644
+--- a/telnetd/telnetd.h
++++ b/telnetd/telnetd.h
+@@ -271,7 +271,7 @@ void io_drain (void);
+
+ int stilloob (int s);
+ void ptyflush (void);
+-char *nextitem (char *current);
++char *nextitem (char *current, const char *endp);
+ void netclear (void);
+ void netflush (void);
+
+diff --git a/telnetd/utility.c b/telnetd/utility.c
+index db93c205..c9df8a79 100644
+--- a/telnetd/utility.c
++++ b/telnetd/utility.c
+@@ -484,10 +484,14 @@ stilloob (int s)
+ * character.
+ */
+ char *
+-nextitem (char *current)
++nextitem (char *current, const char *endp)
+ {
++ if (current >= endp)
++ return NULL;
+ if ((*current & 0xff) != IAC)
+ return current + 1;
++ if (current + 1 >= endp)
++ return NULL;
+
+ switch (*(current + 1) & 0xff)
+ {
+@@ -495,19 +499,20 @@ nextitem (char *current)
+ case DONT:
+ case WILL:
+ case WONT:
+- return current + 3;
++ return current + 3 <= endp ? current + 3 : NULL;
+
+ case SB: /* loop forever looking for the SE */
+ {
+ char *look = current + 2;
+
+- for (;;)
+- if ((*look++ & 0xff) == IAC && (*look++ & 0xff) == SE)
++ while (look < endp)
++ if ((*look++ & 0xff) == IAC && look < endp && (*look++ & 0xff) == SE)
+ return look;
+
+- default:
+- return current + 2;
++ return NULL;
+ }
++ default:
++ return current + 2 <= endp ? current + 2 : NULL;
+ }
+ } /* end of nextitem */
+
+@@ -529,8 +534,9 @@ nextitem (char *current)
+ * us in any case.
+ */
+ #define wewant(p) \
+- ((nfrontp > p) && ((*p&0xff) == IAC) && \
+- ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
++ ((nfrontp > p) && ((*p & 0xff) == IAC) && \
++ (nfrontp > p + 1 && (((*(p + 1) & 0xff) != EC) && \
++ ((*(p + 1)&0xff) != EL))))
+
+
+ void
+@@ -545,7 +551,7 @@ netclear (void)
+ thisitem = netobuf;
+ #endif /* ENCRYPTION */
+
+- while ((next = nextitem (thisitem)) <= nbackp)
++ while ((next = nextitem (thisitem, nbackp)) != NULL && next <= nbackp)
+ thisitem = next;
+
+ /* Now, thisitem is first before/at boundary. */
+@@ -556,15 +562,18 @@ netclear (void)
+ good = netobuf; /* where the good bytes go */
+ #endif /* ENCRYPTION */
+
+- while (nfrontp > thisitem)
++ while (thisitem != NULL && nfrontp > thisitem)
+ {
+ if (wewant (thisitem))
+ {
+ int length;
+
+- for (next = thisitem; wewant (next) && nfrontp > next;
+- next = nextitem (next))
++ for (next = thisitem;
++ next != NULL && wewant (next) && nfrontp > next;
++ next = nextitem (next, nfrontp))
+ ;
++ if (next == NULL)
++ next = nfrontp;
+
+ length = next - thisitem;
+ memmove (good, thisitem, length);
+@@ -573,7 +582,7 @@ netclear (void)
+ }
+ else
+ {
+- thisitem = nextitem (thisitem);
++ thisitem = nextitem (thisitem, nfrontp);
+ }
+ }
+
+--
+2.26.0.292.g33ef6b2f38
+
diff -Nru inetutils-1.9.4/debian/patches/series
inetutils-1.9.4/debian/patches/series
--- inetutils-1.9.4/debian/patches/series 2019-02-16 17:21:30.000000000
+0100
+++ inetutils-1.9.4/debian/patches/series 2020-09-18 15:58:34.000000000
+0200
@@ -29,3 +29,4 @@
0036-ftpd-ftpd.c-options-max-timeout-Mention-mandatory-ar.patch
0037-src-hostname.c-set_name-Handle-case-when-hostname_ne.patch
0038-src-hostname.c-parse_file-Free-name-and-allocate-one.patch
+0053-telnetd-Fix-arbitrary-remote-code-execution-via-shor.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.6
Hi,
Each of these bugs relates to an update that was included in today's
stable point release.
Regards,
Adam
--- End Message ---
