From 7fe48cbcb5d5c5594e848a95b4884cf0c09360eb Mon Sep 17 00:00:00 2001 From: Michal Ruprich Date: Fri, 25 Sep 2020 08:47:35 +0200 Subject: [PATCH] Resolves: #1882606 - in.telnetd needs to tolerate temporary EIO errors --- telnet-0.17-pty-retry.patch | 42 +++++++++++++++++++++++++++++++++++++ telnet.spec | 9 ++++++-- 2 files changed, 49 insertions(+), 2 deletions(-) create mode 100644 telnet-0.17-pty-retry.patch diff --git a/telnet-0.17-pty-retry.patch b/telnet-0.17-pty-retry.patch new file mode 100644 index 0000000..0d787f4 --- /dev/null +++ b/telnet-0.17-pty-retry.patch @@ -0,0 +1,42 @@ +--- a/telnetd/telnetd.c ++++ b/telnetd/telnetd.c +@@ -772,7 +772,6 @@ void telnet(int f, int p) + int on = 1; + char *HE; + const char *IM; +- int pty_read_ok = 0; /* track whether the pty read has worked yet */ + + /* + * Initialize the slc mapping table. +@@ -1086,19 +1085,24 @@ void telnet(int f, int p) + * Something to read from the pty... + */ + if (FD_ISSET(p, &ibits)) { ++ int eio = 0; ++read_pty: + pcc = read(p, ptyibuf, BUFSIZ); +- /* +- * On some systems, if we try to read something +- * off the master side before the slave side is +- * opened, we get EIO. +- */ +- if (pcc < 0 && (errno == EWOULDBLOCK || (errno == EIO && pty_read_ok == 0))) { ++ if (pcc < 0 && errno == EWOULDBLOCK) { + pcc = 0; + } ++ /* ++ * If we try to read something off the master side while the slave ++ * side is temporarily closed by login process, we get EIO. ++ */ ++ else if (pcc < 0 && errno == EIO && eio < 1000) { ++ eio++; ++ poll(NULL, 0, 10); ++ goto read_pty; ++ } + else { + if (pcc <= 0) + break; +- pty_read_ok = 1; /* mark connection up for read */ + #ifdef LINEMODE + /* + * If ioctl from pty, pass it through net diff --git a/telnet.spec b/telnet.spec index d15d1b9..74655f6 100644 --- a/telnet.spec +++ b/telnet.spec @@ -3,7 +3,7 @@ Summary: The client program for the Telnet remote login protocol Name: telnet Version: 0.17 -Release: 80%{?dist} +Release: 81%{?dist} Epoch: 1 License: BSD Source0: ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/netkit-telnet-%{version}.tar.gz @@ -41,6 +41,7 @@ Patch30: netkit-telnet-0.17-manpage.patch Patch31: netkit-telnet-0.17-telnetrc.patch Patch32: telnet-log-address.patch Patch33: telnet-0.17-overflow-exploit.patch +Patch34: telnet-0.17-pty-retry.patch BuildRequires: ncurses-devel systemd gcc gcc-c++ BuildRequires: perl-interpreter @@ -97,6 +98,7 @@ mv telnet telnet-NETKIT %patch31 -p1 -b .telnetrc %patch32 -p1 -b .log-address %patch33 -p1 -b .overflow +%patch34 -p1 -b .pty-retry %build %ifarch s390 s390x @@ -161,10 +163,13 @@ install -p -m644 %SOURCE6 ${RPM_BUILD_ROOT}%{_unitdir}/telnet.socket %{_mandir}/man8/telnetd.8* %changelog +* Fri Sep 25 2020 Michal Ruprich - 1:0.17-81 +- Resolves: #1882606 - in.telnetd needs to tolerate temporary EIO errors + * Wed Jul 29 2020 Fedora Release Engineering - 1:0.17-80 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild -* Fri Mar 27 2020 Michal Ruprich - 1:0.17-79 +* Fri Mar 27 2020 Michal Ruprich - 1:0.17-79 - Resolves: #1814478 - Arbitrary remote code execution in utility.c via short writes or urgent data * Fri Jan 31 2020 Fedora Release Engineering - 1:0.17-78