From c7a33c2d5adbb527023970e20407caca6a9581e9 Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Tue, 21 Oct 2025 16:53:47 +0200 Subject: [PATCH] netkit-telnet: patch CVE-2022-39028 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-39028 Pick the patch mentioned in the nvd report. Signed-off-by: Gyorgy Sarvari --- .../netkit-telnet/files/CVE-2022-39028.patch | 72 +++++++++++++++++++ .../netkit-telnet/netkit-telnet_0.17.bb | 1 + 2 files changed, 73 insertions(+) create mode 100644 meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch diff --git a/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch b/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch new file mode 100644 index 0000000000..f88ee87f57 --- /dev/null +++ b/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch @@ -0,0 +1,72 @@ +From 1949388e52acd343bb3e366d816b33912e38db39 Mon Sep 17 00:00:00 2001 +From: Guillem Jover +Date: Sun, 28 Aug 2022 15:07:29 +0200 +Subject: [PATCH] Fix remote DoS vulnerability in inetutils-telnetd +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is caused by a crash by a NULL pointer dereference when sending +the byte sequences «0xff 0xf7» or «0xff 0xf8». + +Found-by: Pierre Kim and Alexandre Torres +Patch-adapted-by: Erik Auerswald + +CVE: CVE-2022-39028 +Upstream-Status: Backport [https://git.hadrons.org/cgit/debian/pkgs/inetutils.git/commit/?id=113da8021710d871c7dd72d2a4d5615d42d64289] + +Signed-off-by: Gyorgy Sarvari +--- + .../inetutils-telnetd-EC_EL_null_deref.patch | 43 +++++++++++++++++++ + 1 file changed, 43 insertions(+) + create mode 100644 debian/patches/inetutils-telnetd-EC_EL_null_deref.patch + +diff --git a/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch b/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch +new file mode 100644 +index 0000000..fac5e3f +--- /dev/null ++++ b/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch +@@ -0,0 +1,43 @@ ++Description: Fix remote DoS vulnerability in inetutils-telnetd ++ This is caused by a crash by a NULL pointer dereference when sending the ++ byte sequences «0xff 0xf7» or «0xff 0xf8». ++Authors: ++ Pierre Kim (original patch), ++ Alexandre Torres (original patch), ++ Erik Auerswald (adapted patch), ++Reviewed-by: Erik Auerswald ++Origin: upstream ++Ref: https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html ++Forwarded: https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html ++Last-Update: 2022-08-28 ++ ++ ++diff --git a/telnetd/state.c b/telnetd/state.c ++index ffc6cbaf..c2d760f8 100644 ++--- a/telnetd/state.c +++++ b/telnetd/state.c ++@@ -312,15 +312,21 @@ telrcv (void) ++ case EC: ++ case EL: ++ { ++- cc_t ch; +++ cc_t ch = (cc_t) (_POSIX_VDISABLE); ++ ++ DEBUG (debug_options, 1, printoption ("td: recv IAC", c)); ++ ptyflush (); /* half-hearted */ ++ init_termbuf (); ++ if (c == EC) ++- ch = *slctab[SLC_EC].sptr; +++ { +++ if (slctab[SLC_EC].sptr) +++ ch = *slctab[SLC_EC].sptr; +++ } ++ else ++- ch = *slctab[SLC_EL].sptr; +++ { +++ if (slctab[SLC_EL].sptr) +++ ch = *slctab[SLC_EL].sptr; +++ } ++ if (ch != (cc_t) (_POSIX_VDISABLE)) ++ pty_output_byte ((unsigned char) ch); ++ break; diff --git a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb index 56860ea098..6cfc886350 100644 --- a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb +++ b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb @@ -14,6 +14,7 @@ SRC_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/netkit-telnet_${PV}.orig.tar.gz file://0001-telnet-telnetd-Fix-deadlock-on-cleanup.patch \ file://CVE-2020-10188.patch \ file://0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch \ + file://CVE-2022-39028.patch \ " UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/"