Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#61041 - [inetutils] multiple telnet.c overflows

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Wednesday, 12 December 2018, 09:12 GMT
Last edited by Balló György (City-busz) - Friday, 12 April 2019, 14:41 GMT
Task Type Bug Report
Category Security
Status Assigned
Assigned To Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Multiple buffer overflows have been found [1] in inetutils <= 1.9.4, and the initial report even mentions Arch explicitly as being vulnerable. There doesn't seem to be a new release planned so it would be nice to investigate if we can backport the fixes mentioned in [2].

[1]: https://seclists.org/oss-sec/2018/q4/217
[2]: https://seclists.org/oss-sec/2018/q4/218
This task depends upon

Comment by loqs (loqs) - Tuesday, 06 August 2019, 15:32 GMT
1.patch:
Based on [1]
This is the code block mentioned in [2]. The example mentioned in [2] is not mitigated by this patch as another buffer overflow will occur first.
2.patch:
Based on [3]
CAN-2005-0468, CAN-2005-0469
Fixes the example from [2]
3.patch:
Based on [4]
CVE-2019-0053

[1] https://github.com/freebsd/freebsd/commit/d2f83e4ec488ec62281318b26dad107e65d96d0c
[2] https://raw.githubusercontent.com/hackerhouse-opensource/exploits/master/inetutils-telnet.txt
[3] https://github.com/freebsd/freebsd/commit/fc3b18bce3b10b7d9e27cd9e8367fab8a69f3e98
[4] https://github.com/freebsd/freebsd/commit/084f697eff4428a0e87d5291d5b676f64776a117
   1.patch (0.9 KiB)
   2.patch (2.5 KiB)
   3.patch (1.3 KiB)
Comment by loqs (loqs) - Thursday, 23 July 2020, 21:27 GMT
As well as fixing CVE-2019-0053 witching to the git source fixes FTBS with gcc 10.

Given upstream's attitude in [1] I have not contacted them.

[1] https://lists.gnu.org/archive/html/bug-inetutils/2020-04/msg00010.html
Comment by Geert Hendrickx (ghen) - Saturday, 22 August 2020, 21:27 GMT
See also  FS#67679  to split out `hostname`, which is still somewhat commonly used (unlike rsh, rcp, talk and friends), but also provided by gettext (which is a base dependency). /usr/lib/gettext/hostname could be installed as /usr/bin/hostname, instead of the inetutils version.

(Granted, the gettext implementation cannot *change* the hostname, but this functionality is now provided by systemd and `hostnamectl` anyway.)
Comment by loqs (loqs) - Saturday, 22 August 2020, 21:39 GMT
@ghen perhaps you can try working with upstream given [1] I will not contact them.

[1] https://lists.gnu.org/archive/html/bug-inetutils/2020-04/msg00014.html
Comment by Geert Hendrickx (ghen) - Saturday, 22 August 2020, 21:47 GMT
I'm intending to get rid of inetutils, not to fix it. ;-)

Only `hostname` is still in actual use (eg. by xorg-xinit, mariadb, and a few others), so it should be provided by another package.
The gettext implementation is a good candidate, as it's already installed anyway (I just symlinked it in place to satisfy xorg-xinit).
Comment by Geert Hendrickx (ghen) - Friday, 09 April 2021, 19:02 GMT
For information in this bugreport, I submitted patches to various upstream packages to replace their `hostname` calls by `uname -n` (as `hostname` is not defined by POSIX, but `uname -n` is), and thus drop the inetutils dependency.

So inetutils should become less relevant in Arch, and not implicitly installed by default on most systems anymore.
Comment by loqs (loqs) - Tuesday, 08 June 2021, 00:29 GMT
@ghen can you please have a look at https://bugs.archlinux.org/task/45903#comment200128 to coordinate which upstreams have already been contacted.

Specifically I am interested in if you have contacted upstream:
metasploit
pcp
rabbitmq
x2goserver

I noticed you did testssl.sh but left a call in utils/docker-nginx.tls13-earlydata.start.sh ?

Loading...