From 7286d8a876e32f22c444b20b3c310906cbbe6561 Mon Sep 17 00:00:00 2001 From: Vchanger <348085547@qq.com> Date: Mon, 27 Apr 2020 17:36:24 +0800 Subject: [PATCH] telnet: fix CVE-2020-10188 --- CVE-2020-10188.patch | 97 ++++++++++++++++++++++++++++++++++++++++++++ telnet.spec | 9 +++- 2 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-10188.patch diff --git a/CVE-2020-10188.patch b/CVE-2020-10188.patch new file mode 100644 index 0000000..fa2b23d --- /dev/null +++ b/CVE-2020-10188.patch @@ -0,0 +1,97 @@ +diff --git a/telnetd/utility.c b/telnetd/utility.c +index 82edee5..514ec19 100644 +--- a/telnetd/utility.c ++++ b/telnetd/utility.c +@@ -219,31 +219,38 @@ void ptyflush(void) + */ + static + char * +-nextitem(char *current) ++nextitem(char *current, const char *endp) + { ++ if (current >= endp) { ++ return NULL; ++ } + if ((*current&0xff) != IAC) { + return current+1; + } ++ if (current+1 >= endp) { ++ return NULL; ++ } + switch (*(current+1)&0xff) { + case DO: + case DONT: + case WILL: + case WONT: +- return current+3; ++ return current+3 <= endp ? current+3 : NULL; + case SB: /* loop forever looking for the SE */ + { + register char *look = current+2; + +- for (;;) { ++ while (look < endp) { + if ((*look++&0xff) == IAC) { +- if ((*look++&0xff) == SE) { ++ if (look < endp && (*look++&0xff) == SE) { + return look; + } + } + } ++ return NULL; + } + default: +- return current+2; ++ return current+2 <= endp ? current+2 : NULL; + } + } /* end of nextitem */ + +@@ -269,7 +276,7 @@ void netclear(void) + register char *thisitem, *next; + char *good; + #define wewant(p) ((nfrontp > p) && ((*p&0xff) == IAC) && \ +- ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL)) ++ (nfrontp > p+1 && (((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL)))) + + #if defined(ENCRYPT) + thisitem = nclearto > netobuf ? nclearto : netobuf; +@@ -277,7 +284,7 @@ void netclear(void) + thisitem = netobuf; + #endif + +- while ((next = nextitem(thisitem)) <= nbackp) { ++ while ((next = nextitem(thisitem, nbackp)) != NULL && next <= nbackp) { + thisitem = next; + } + +@@ -289,20 +296,23 @@ void netclear(void) + good = netobuf; /* where the good bytes go */ + #endif + +- while (nfrontp > thisitem) { ++ while (thisitem != NULL && nfrontp > thisitem) { + if (wewant(thisitem)) { + int length; + + next = thisitem; + do { +- next = nextitem(next); +- } while (wewant(next) && (nfrontp > next)); ++ next = nextitem(next, nfrontp); ++ } while (next != NULL && wewant(next) && (nfrontp > next)); ++ if (next == NULL) { ++ next = nfrontp; ++ } + length = next-thisitem; + bcopy(thisitem, good, length); + good += length; + thisitem = next; + } else { +- thisitem = nextitem(thisitem); ++ thisitem = nextitem(thisitem, nfrontp); + } + } + +-- +1.8.3.1 + diff --git a/telnet.spec b/telnet.spec index b09bd22..d72652c 100644 --- a/telnet.spec +++ b/telnet.spec @@ -1,7 +1,7 @@ Name: telnet Epoch: 1 Version: 0.17 -Release: 75 +Release: 76 Summary: Client and Server programs for the Telnet communication protocol License: BSD Url: http://web.archive.org/web/20070819111735/www.hcs.harvard.edu/~dholland/computers/old-netkit.html @@ -38,6 +38,7 @@ Patch0023: netkit-telnet-0.17-core-dump.patch Patch0024: netkit-telnet-0.17-gcc7.patch Patch0025: netkit-telnet-0.17-manpage.patch Patch0026: netkit-telnet-0.17-telnetrc.patch +Patch0027: CVE-2020-10188.patch BuildRequires: gcc-c++ ncurses-devel systemd Requires: systemd @@ -101,5 +102,11 @@ install -pm644 %{SOURCE3} %{buildroot}%{_unitdir}/telnet.socket %{_mandir}/man1/telnet.1* %changelog +* Mon Apr 27 2020 openEuler Buildteam - 1:0.17-76 +- Type:cves +- ID:CVE-2020-10188 +- SUG:restart +- DESC:fix CVE-2020-10188 + * Sat Sep 14 2019 huzhiyu - 1:0.17-75 - Package init -- Gitee