import telnet-0.17-73.el8_1.1

This commit is contained in:
CentOS Sources 2020-07-28 08:52:54 -04:00 committed by Stepan Oksanichenko
parent f655861580
commit f29ea4775d
2 changed files with 98 additions and 1 deletions

View File

@ -0,0 +1,92 @@
diff -up netkit-telnet-0.17/telnetd/utility.c.orig netkit-telnet-0.17/telnetd/utility.c
--- netkit-telnet-0.17/telnetd/utility.c.orig 2020-03-25 11:53:56.772624325 +0100
+++ netkit-telnet-0.17/telnetd/utility.c 2020-03-25 11:54:01.966601415 +0100
@@ -221,31 +221,38 @@ void ptyflush(void)
*/
static
char *
-nextitem(char *current)
+nextitem(char *current, const char *endp)
{
+ if (current >= endp) {
+ return NULL;
+ }
if ((*current&0xff) != IAC) {
return current+1;
}
+ if (current+1 >= endp) {
+ return NULL;
+ }
switch (*(current+1)&0xff) {
case DO:
case DONT:
case WILL:
case WONT:
- return current+3;
+ return current+3 <= endp ? current+3 : NULL;
case SB: /* loop forever looking for the SE */
{
register char *look = current+2;
- for (;;) {
+ while (look < endp) {
if ((*look++&0xff) == IAC) {
- if ((*look++&0xff) == SE) {
+ if (look < endp && (*look++&0xff) == SE) {
return look;
}
}
}
+ return NULL;
}
default:
- return current+2;
+ return current+2 <= endp ? current+2 : NULL;
}
} /* end of nextitem */
@@ -271,7 +278,7 @@ void netclear(void)
register char *thisitem, *next;
char *good;
#define wewant(p) ((nfrontp > p) && ((*p&0xff) == IAC) && \
- ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
+ (nfrontp > p+1 && (((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))))
#if defined(ENCRYPT)
thisitem = nclearto > netobuf ? nclearto : netobuf;
@@ -279,7 +286,7 @@ void netclear(void)
thisitem = netobuf;
#endif
- while ((next = nextitem(thisitem)) <= nbackp) {
+ while ((next = nextitem(thisitem, nbackp)) != NULL && next <= nbackp) {
thisitem = next;
}
@@ -291,20 +298,23 @@ void netclear(void)
good = netobuf; /* where the good bytes go */
#endif
- while (nfrontp > thisitem) {
+ while (thisitem != NULL && nfrontp > thisitem) {
if (wewant(thisitem)) {
int length;
next = thisitem;
do {
- next = nextitem(next);
- } while (wewant(next) && (nfrontp > next));
+ next = nextitem(next, nfrontp);
+ } while (next != NULL && wewant(next) && (nfrontp > next));
+ if (next == NULL) {
+ next = nfrontp;
+ }
length = next-thisitem;
bcopy(thisitem, good, length);
good += length;
thisitem = next;
} else {
- thisitem = nextitem(thisitem);
+ thisitem = nextitem(thisitem, nfrontp);
}
}

View File

@ -3,7 +3,7 @@
Summary: The client program for the Telnet remote login protocol
Name: telnet
Version: 0.17
Release: 73%{?dist}
Release: 73%{?dist}.1
Epoch: 1
License: BSD
Group: Applications/Internet
@ -41,6 +41,7 @@ Patch29: netkit-telnet-0.17-gcc7.patch
Patch30: netkit-telnet-0.17-manpage.patch
Patch31: netkit-telnet-0.17-covscan.patch
Patch32: telnet-log-address.patch
Patch33: telnet-0.17-overflow-exploit.patch
BuildRequires: ncurses-devel systemd
BuildRequires: perl-interpreter
@ -97,6 +98,7 @@ mv telnet telnet-NETKIT
%patch30 -p1 -b .manpage
%patch31 -p1 -b .covscan
%patch32 -p1 -b .log-address
%patch33 -p1 -b .overflow
%build
%ifarch s390 s390x
@ -162,6 +164,9 @@ install -p -m644 %SOURCE6 ${RPM_BUILD_ROOT}%{_unitdir}/telnet.socket
%{_mandir}/man8/telnetd.8*
%changelog
* Thu Mar 26 2020 Michal Ruprich <michalruprich@gmail.com> - 1:0.17-73.1
- Resolves: #1814473 - Arbitrary remote code execution in utility.c via short writes or urgent data
* Thu Oct 04 2018 Michal Ruprich <mruprich@redhat.com> - 1:0.17-73
- Resolves: #1602711 - Please review important issues found by covscan
- Resolves: #1637085 - Option -i is missing in telnet in el8 but is available in el7