mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
c7a33c2d5a
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-39028 Pick the patch mentioned in the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
73 lines
2.5 KiB
Diff
73 lines
2.5 KiB
Diff
From 1949388e52acd343bb3e366d816b33912e38db39 Mon Sep 17 00:00:00 2001
|
|
From: Guillem Jover <guillem@debian.org>
|
|
Date: Sun, 28 Aug 2022 15:07:29 +0200
|
|
Subject: [PATCH] Fix remote DoS vulnerability in inetutils-telnetd
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
This is caused by a crash by a NULL pointer dereference when sending
|
|
the byte sequences «0xff 0xf7» or «0xff 0xf8».
|
|
|
|
Found-by: Pierre Kim and Alexandre Torres
|
|
Patch-adapted-by: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
|
|
|
|
CVE: CVE-2022-39028
|
|
Upstream-Status: Backport [https://git.hadrons.org/cgit/debian/pkgs/inetutils.git/commit/?id=113da8021710d871c7dd72d2a4d5615d42d64289]
|
|
|
|
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
|
---
|
|
.../inetutils-telnetd-EC_EL_null_deref.patch | 43 +++++++++++++++++++
|
|
1 file changed, 43 insertions(+)
|
|
create mode 100644 debian/patches/inetutils-telnetd-EC_EL_null_deref.patch
|
|
|
|
diff --git a/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch b/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch
|
|
new file mode 100644
|
|
index 0000000..fac5e3f
|
|
--- /dev/null
|
|
+++ b/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch
|
|
@@ -0,0 +1,43 @@
|
|
+Description: Fix remote DoS vulnerability in inetutils-telnetd
|
|
+ This is caused by a crash by a NULL pointer dereference when sending the
|
|
+ byte sequences «0xff 0xf7» or «0xff 0xf8».
|
|
+Authors:
|
|
+ Pierre Kim (original patch),
|
|
+ Alexandre Torres (original patch),
|
|
+ Erik Auerswald <auerswal@unix-ag.uni-kl.de> (adapted patch),
|
|
+Reviewed-by: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
|
|
+Origin: upstream
|
|
+Ref: https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
|
|
+Forwarded: https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html
|
|
+Last-Update: 2022-08-28
|
|
+
|
|
+
|
|
+diff --git a/telnetd/state.c b/telnetd/state.c
|
|
+index ffc6cbaf..c2d760f8 100644
|
|
+--- a/telnetd/state.c
|
|
++++ b/telnetd/state.c
|
|
+@@ -312,15 +312,21 @@ telrcv (void)
|
|
+ case EC:
|
|
+ case EL:
|
|
+ {
|
|
+- cc_t ch;
|
|
++ cc_t ch = (cc_t) (_POSIX_VDISABLE);
|
|
+
|
|
+ DEBUG (debug_options, 1, printoption ("td: recv IAC", c));
|
|
+ ptyflush (); /* half-hearted */
|
|
+ init_termbuf ();
|
|
+ if (c == EC)
|
|
+- ch = *slctab[SLC_EC].sptr;
|
|
++ {
|
|
++ if (slctab[SLC_EC].sptr)
|
|
++ ch = *slctab[SLC_EC].sptr;
|
|
++ }
|
|
+ else
|
|
+- ch = *slctab[SLC_EL].sptr;
|
|
++ {
|
|
++ if (slctab[SLC_EL].sptr)
|
|
++ ch = *slctab[SLC_EL].sptr;
|
|
++ }
|
|
+ if (ch != (cc_t) (_POSIX_VDISABLE))
|
|
+ pty_output_byte ((unsigned char) ch);
|
|
+ break;
|