Your message dated Sat, 10 Sep 2022 13:36:19 +0100
with message-id
<92fe43e7805e82e43100a6471ccbf91cd9a12944.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates in 11.5
has caused the Debian Bug report #1018744,
regarding bullseye-pu: package inetutils/2:2.0-1+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1018744: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018744
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]
Hi!
[ Reason ]
A recent vulnerability (DoS) was reported upstream, for which I
uploaded a fixed package to sid (will migrate tomorrow). There was a
(minor) pending security update missing from bullseye. The security
team (CCed) would prefer to see these handled as normal stable updates.
[ Impact ]
These are both security issues. One against malicious ftp servers
which can end up controlling the client to connect to other hosts,
the other a DoS on the telnetd server which makes it crash with
specific two-byte payloads.
[ Tests ]
For the ftp client, there's a test recipe at
<https://lists.gnu.org/archive/html/bug-inetutils/2021-06/msg00002.html>.
For the telnetd server there's a test recipe at
<https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00003.html>
which amounts to «printf "\xff\xf7" | nc -n -v localhost 23».
Both test recipes could be reproduced before, and do not work after
the patched version.
[ Risks ]
The fix for the ftp client has been in sid since 2021-09 with no
reported regressions.
The fix for telnetd has not yet migrated to testing, but is few lines
long fixing a couple of NULL pointer dereferences.
[ Checklist ]
[√] *all* changes are documented in the d/changelog
[√] I reviewed all changes and I approve them
[√] attach debdiff against the package in (old)stable
[√] the issue is verified as fixed in unstable
[ Changes ]
* Fix inetutils-ftp security bug trusting FTP PASV responses.
Fixes CVE-2021-40491. Closes: #993476
* Fix remote DoS vulnerability in inetutils-telnetd, caused by a crash by
a NULL pointer dereference when sending the byte sequences «0xff 0xf7»
or «0xff 0xf8». Found by Pierre Kim and Alexandre Torres. Patch
adapted by Erik Auerswald <[email protected]>.
[ Other info ]
None.
Thanks.
Guillem
diff -Nru inetutils-2.0/debian/changelog inetutils-2.0/debian/changelog
--- inetutils-2.0/debian/changelog 2021-02-05 23:14:20.000000000 +0100
+++ inetutils-2.0/debian/changelog 2022-08-28 16:01:41.000000000 +0200
@@ -1,3 +1,14 @@
+inetutils (2:2.0-1+deb11u1) bullseye; urgency=medium
+
+ * Fix inetutils-ftp security bug trusting FTP PASV responses.
+ Fixes CVE-2021-40491. Closes: #993476
+ * Fix remote DoS vulnerability in inetutils-telnetd, caused by a crash by
+ a NULL pointer dereference when sending the byte sequences «0xff 0xf7»
+ or «0xff 0xf8». Found by Pierre Kim and Alexandre Torres. Patch
+ adapted by Erik Auerswald <[email protected]>.
+
+ -- Guillem Jover <[email protected]> Sun, 28 Aug 2022 16:01:41 +0200
+
inetutils (2:2.0-1) unstable; urgency=medium
* New upstream release.
diff -Nru
inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch
inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch
---
inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch
1970-01-01 01:00:00.000000000 +0100
+++
inetutils-2.0/debian/patches/0001-ftp-check-that-PASV-LSPV-addresses-match.patch
2022-08-28 16:01:41.000000000 +0200
@@ -0,0 +1,59 @@
+From 58cb043b190fd04effdaea7c9403416b436e50dd Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <[email protected]>
+Date: Wed, 1 Sep 2021 09:09:50 +0200
+Subject: [PATCH] ftp: check that PASV/LSPV addresses match.
+
+* ftp/ftp.c (initconn): Validate returned addresses.
+---
+ ftp/ftp.c | 21 +++++++++++++++++++++
+ 2 files changed, 30 insertions(+)
+
+diff --git a/ftp/ftp.c b/ftp/ftp.c
+index d21dbdd8..7513539d 100644
+--- a/ftp/ftp.c
++++ b/ftp/ftp.c
+@@ -1365,6 +1365,13 @@ initconn (void)
+ uint32_t *pu32 = (uint32_t *) &data_addr_sa4->sin_addr.s_addr;
+ pu32[0] = htonl ( (h[0] << 24) | (h[1] << 16) | (h[2] << 8) |
h[3]);
+ }
++ if (data_addr_sa4->sin_addr.s_addr
++ != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
++ {
++ printf ("Passive mode address mismatch.\n");
++ (void) command ("ABOR"); /* Cancel any open connection.
*/
++ goto bad;
++ }
+ } /* LPSV IPv4 */
+ else /* IPv6 */
+ {
+@@ -1395,6 +1402,13 @@ initconn (void)
+ pu32[2] = htonl ( (h[8] << 24) | (h[9] << 16) | (h[10] << 8)
| h[11]);
+ pu32[3] = htonl ( (h[12] << 24) | (h[13] << 16) | (h[14] <<
8) | h[15]);
+ }
++ if (data_addr_sa6->sin6_addr.s6_addr
++ != ((struct sockaddr_in6 *) &hisctladdr)->sin6_addr.s6_addr)
++ {
++ printf ("Passive mode address mismatch.\n");
++ (void) command ("ABOR"); /* Cancel any open connection.
*/
++ goto bad;
++ }
+ } /* LPSV IPv6 */
+ }
+ else /* !EPSV && !LPSV */
+@@ -1415,6 +1429,13 @@ initconn (void)
+ | ((a2 & 0xff) << 8) | (a3 & 0xff) );
+ data_addr_sa4->sin_port =
+ htons (((p0 & 0xff) << 8) | (p1 & 0xff));
++ if (data_addr_sa4->sin_addr.s_addr
++ != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
++ {
++ printf ("Passive mode address mismatch.\n");
++ (void) command ("ABOR"); /* Cancel any open connection.
*/
++ goto bad;
++ }
+ } /* PASV */
+ else
+ {
+--
+2.37.2
+
diff -Nru inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch
inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch
--- inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch
1970-01-01 01:00:00.000000000 +0100
+++ inetutils-2.0/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch
2022-08-28 16:01:41.000000000 +0200
@@ -0,0 +1,45 @@
+Description: Fix remote DoS vulnerability in inetutils-telnetd
+ This is caused by a crash by a NULL pointer dereference when sending the
+ byte sequences «0xff 0xf7» or «0xff 0xf8».
+Authors:
+ Pierre Kim (original patch),
+ Alexandre Torres (original patch),
+ Erik Auerswald <[email protected]> (adapted patch),
+Reviewed-by: Erik Auerswald <[email protected]>
+Origin: upstream
+Ref:
https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
+Forwarded:
https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html
+Last-Update: 2022-08-28
+
+
+---
+ telnetd/state.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/telnetd/state.c
++++ b/telnetd/state.c
+@@ -315,15 +315,21 @@ telrcv (void)
+ case EC:
+ case EL:
+ {
+- cc_t ch;
++ cc_t ch = (cc_t) (_POSIX_VDISABLE);
+
+ DEBUG (debug_options, 1, printoption ("td: recv IAC", c));
+ ptyflush (); /* half-hearted */
+ init_termbuf ();
+ if (c == EC)
+- ch = *slctab[SLC_EC].sptr;
++ {
++ if (slctab[SLC_EC].sptr)
++ ch = *slctab[SLC_EC].sptr;
++ }
+ else
+- ch = *slctab[SLC_EL].sptr;
++ {
++ if (slctab[SLC_EL].sptr)
++ ch = *slctab[SLC_EL].sptr;
++ }
+ if (ch != (cc_t) (_POSIX_VDISABLE))
+ pty_output_byte ((unsigned char) ch);
+ break;
diff -Nru inetutils-2.0/debian/patches/series
inetutils-2.0/debian/patches/series
--- inetutils-2.0/debian/patches/series 2021-01-30 01:26:45.000000000 +0100
+++ inetutils-2.0/debian/patches/series 2022-08-28 16:00:38.000000000 +0200
@@ -1,3 +1,6 @@
# Local patches
0001-inetd-Change-protocol-semantics-in-inetd.conf.patch
0002-build-Disable-GFDL-info-files-and-useless-man-pages.patch
+# Upstream patches
+0001-ftp-check-that-PASV-LSPV-addresses-match.patch
+inetutils-telnetd-EC_EL_null_deref.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.5
Hi,
The updates referred to in each of these bugs were included in today's
11.5 point release.
Regards,
Adam
--- End Message ---
