Resolves: #1814478 - Arbitrary remote code execution in utility.c via short writes or urgent data

telnet-0.17-overflow-exploit.patch

@@ -0,0 +1,92 @@
+diff -up netkit-telnet-0.17/telnetd/utility.c.orig netkit-telnet-0.17/telnetd/utility.c
+--- netkit-telnet-0.17/telnetd/utility.c.orig	2020-03-25 11:53:56.772624325 +0100
++++ netkit-telnet-0.17/telnetd/utility.c	2020-03-25 11:54:01.966601415 +0100
+@@ -221,31 +221,38 @@ void 	ptyflush(void)
+  */
+ static
+ char *
+-nextitem(char *current)
++nextitem(char *current, const char *endp)
+ {
++    if (current >= endp) {
++        return NULL;
++    }
+     if ((*current&0xff) != IAC) {
+ 	return current+1;
+     }
++    if (current+1 >= endp) {
++        return NULL;
++    }
+     switch (*(current+1)&0xff) {
+     case DO:
+     case DONT:
+     case WILL:
+     case WONT:
+-	return current+3;
++	return current+3 <= endp ? current+3 : NULL;
+     case SB:		/* loop forever looking for the SE */
+ 	{
+ 	    register char *look = current+2;
+ 
+-	    for (;;) {
++	    while (look < endp) {
+ 		if ((*look++&0xff) == IAC) {
+-		    if ((*look++&0xff) == SE) {
++		    if (look < endp && (*look++&0xff) == SE) {
+ 			return look;
+ 		    }
+ 		}
+ 	    }
++	    return NULL;
+ 	}
+     default:
+-	return current+2;
++	return current+2 <= endp ? current+2 : NULL;
+     }
+ }  /* end of nextitem */
+ 
+@@ -271,7 +278,7 @@ void netclear(void)
+     register char *thisitem, *next;
+     char *good;
+ #define	wewant(p)	((nfrontp > p) && ((*p&0xff) == IAC) && \
+-				((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
++				(nfrontp > p+1 && (((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))))
+ 
+ #if	defined(ENCRYPT)
+     thisitem = nclearto > netobuf ? nclearto : netobuf;
+@@ -279,7 +286,7 @@ void netclear(void)
+     thisitem = netobuf;
+ #endif
+ 
+-    while ((next = nextitem(thisitem)) <= nbackp) {
++    while ((next = nextitem(thisitem, nbackp)) != NULL && next <= nbackp) {
+ 	thisitem = next;
+     }
+ 
+@@ -291,20 +298,23 @@ void netclear(void)
+     good = netobuf;	/* where the good bytes go */
+ #endif
+ 
+-    while (nfrontp > thisitem) {
++    while (thisitem != NULL && nfrontp > thisitem) {
+ 	if (wewant(thisitem)) {
+ 	    int length;
+ 
+ 	    next = thisitem;
+ 	    do {
+-		next = nextitem(next);
+-	    } while (wewant(next) && (nfrontp > next));
++		next = nextitem(next, nfrontp);
++	    } while (next != NULL && wewant(next) && (nfrontp > next));
++	    if (next == NULL) {
++		next = nfrontp;
++	    }
+ 	    length = next-thisitem;
+ 	    bcopy(thisitem, good, length);
+ 	    good += length;
+ 	    thisitem = next;
+ 	} else {
+-	    thisitem = nextitem(thisitem);
++	    thisitem = nextitem(thisitem, nfrontp);
+ 	}
+     }

telnet.spec

@@ -3,7 +3,7 @@
 Summary: The client program for the Telnet remote login protocol
 Name: telnet
 Version: 0.17
-Release: 78%{?dist}
+Release: 79%{?dist}
 Epoch: 1
 License: BSD
 Source0: ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/netkit-telnet-%{version}.tar.gz
@@ -40,6 +40,7 @@ Patch29: netkit-telnet-0.17-gcc7.patch
 Patch30: netkit-telnet-0.17-manpage.patch
 Patch31: netkit-telnet-0.17-telnetrc.patch
 Patch32: telnet-log-address.patch
+Patch33: telnet-0.17-overflow-exploit.patch
 
 BuildRequires: ncurses-devel systemd gcc gcc-c++
 BuildRequires: perl-interpreter
@@ -95,6 +96,7 @@ mv telnet telnet-NETKIT
 %patch30 -p1 -b .manpage
 %patch31 -p1 -b .telnetrc
 %patch32 -p1 -b .log-address
+%patch33 -p1 -b .overflow
 
 %build
 %ifarch s390 s390x
@@ -159,6 +161,9 @@ install -p -m644 %SOURCE6 ${RPM_BUILD_ROOT}%{_unitdir}/telnet.socket
 %{_mandir}/man8/telnetd.8*
 
 %changelog
+* Fri Mar 27 2020 Michal Ruprich <michalruprich@gmail.com> - 1:0.17-79
+- Resolves: #1814478 - Arbitrary remote code execution in utility.c via short writes or urgent data
+
 * Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.17-78
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild