From: Sanjay Chitroda <[email protected]> References: https://nvd.nist.gov/vuln/detail/CVE-2022-39028 https://security-tracker.debian.org/tracker/CVE-2022-39028
Upstream Patch: https://cgit.freebsd.org/src/commit/?id=6914ffef4e23 - Patch is adopted from FreeBSD, as same vulnerability of telnetd is applicable to FreeBSD and netkit-telnet packages. Signed-off-by: Sanjay Chitroda <[email protected]> --- .../netkit-telnet/files/CVE-2022-39028.patch | 53 +++++++++++++++++++ .../netkit-telnet/netkit-telnet_0.17.bb | 1 + 2 files changed, 54 insertions(+) create mode 100644 meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch diff --git a/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch b/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch new file mode 100644 index 000000000..e8c3f1d84 --- /dev/null +++ b/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch @@ -0,0 +1,53 @@ +From 4133a888aa256312186962ab70d4a36eed5920c1 Mon Sep 17 00:00:00 2001 +From: Brooks Davis <[email protected]> +Date: Mon, 26 Sep 2022 18:56:51 +0100 +Subject: [PATCH] telnetd: fix two-byte input crash + +Move initialization of the slc table earlier so it doesn't get +accessed before that happens. + +For details on the issue, see: +https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html + +Reviewed by: cy +Obtained from: NetBSD via cy +Differential Revision: https://reviews.freebsd.org/D36680 + +CVE: CVE-2022-39028 +Upstream-Status: Backport [https://cgit.freebsd.org/src/commit/?id=6914ffef4e23] + +(cherry picked from commit 6914ffef4e2318ca1d0ead28eafb6f06055ce0f8) +Signed-off-by: Sanjay Chitroda <[email protected]> + +--- + telnetd/telnetd.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/telnetd/telnetd.c b/telnetd/telnetd.c +index f36f505..efa0fe1 100644 +--- a/telnetd/telnetd.c ++++ b/telnetd/telnetd.c +@@ -615,6 +615,11 @@ doit(struct sockaddr_in *who) + int level; + char user_name[256]; + ++ /* ++ * Initialize the slc mapping table. ++ */ ++ get_slc_defaults(); ++ + /* + * Find an available pty to use. + */ +@@ -698,11 +703,6 @@ void telnet(int f, int p) + char *HE; + const char *IM; + +- /* +- * Initialize the slc mapping table. +- */ +- get_slc_defaults(); +- + /* + * Do some tests where it is desireable to wait for a response. + * Rather than doing them slowly, one at a time, do them all diff --git a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb index e28eeae49..d3de038d1 100644 --- a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb +++ b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb @@ -16,6 +16,7 @@ SRC_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/netkit-telnet_${PV}.orig.tar.gz file://0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch \ file://0001-utility-Include-time.h-form-time-and-strftime-protot.patch \ file://0001-Drop-using-register-keyword.patch \ + file://CVE-2022-39028.patch \ " UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/" -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#105056): https://lists.openembedded.org/g/openembedded-devel/message/105056 Mute This Topic: https://lists.openembedded.org/mt/101518966/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
