FS#61041 - [inetutils] multiple telnet.c overflows

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Wednesday, 12 December 2018, 09:12 GMT
Last edited by Antonio Rojas (arojas) - Sunday, 19 June 2022, 09:34 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Multiple buffer overflows have been found [1] in inetutils <= 1.9.4, and the initial report even mentions Arch explicitly as being vulnerable. There doesn't seem to be a new release planned so it would be nice to investigate if we can backport the fixes mentioned in [2].

[1]: https://seclists.org/oss-sec/2018/q4/217
[2]: https://seclists.org/oss-sec/2018/q4/218
This task depends upon

Closed by  Antonio Rojas (arojas)
Sunday, 19 June 2022, 09:34 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed in inetutils 2.x. See also  FS#70040 . The heap overflow in https://seclists.org/oss-sec/2018/q4/217 isn't reproducible with inetutils 2.2 either.
Comment by loqs (loqs) - Tuesday, 06 August 2019, 15:32 GMT
1.patch:
Based on [1]
This is the code block mentioned in [2]. The example mentioned in [2] is not mitigated by this patch as another buffer overflow will occur first.
2.patch:
Based on [3]
CAN-2005-0468, CAN-2005-0469
Fixes the example from [2]
3.patch:
Based on [4]
CVE-2019-0053

[1] https://github.com/freebsd/freebsd/commit/d2f83e4ec488ec62281318b26dad107e65d96d0c
[2] https://raw.githubusercontent.com/hackerhouse-opensource/exploits/master/inetutils-telnet.txt
[3] https://github.com/freebsd/freebsd/commit/fc3b18bce3b10b7d9e27cd9e8367fab8a69f3e98
[4] https://github.com/freebsd/freebsd/commit/084f697eff4428a0e87d5291d5b676f64776a117
   1.patch (0.9 KiB)
   2.patch (2.5 KiB)
   3.patch (1.3 KiB)
Comment by loqs (loqs) - Thursday, 23 July 2020, 21:27 GMT
As well as fixing CVE-2019-0053 witching to the git source fixes FTBS with gcc 10.

Given upstream's attitude in [1] I have not contacted them.

[1] https://lists.gnu.org/archive/html/bug-inetutils/2020-04/msg00010.html
   PKGBUILD (4.5 KiB)
   fix-CAN-2005-0468-CAN-2005-04... (2.5 KiB)
   fix-CVE-2018-20685-and-CVE-20... (0.5 KiB)
   0053-telnetd-Fix-arbitrary-re... (3.4 KiB)
Comment by Geert Hendrickx (ghen) - Saturday, 22 August 2020, 21:27 GMT
See also  FS#67679  to split out `hostname`, which is still somewhat commonly used (unlike rsh, rcp, talk and friends), but also provided by gettext (which is a base dependency). /usr/lib/gettext/hostname could be installed as /usr/bin/hostname, instead of the inetutils version.

(Granted, the gettext implementation cannot *change* the hostname, but this functionality is now provided by systemd and `hostnamectl` anyway.)
Comment by loqs (loqs) - Saturday, 22 August 2020, 21:39 GMT
@ghen perhaps you can try working with upstream given [1] I will not contact them.

[1] https://lists.gnu.org/archive/html/bug-inetutils/2020-04/msg00014.html
Comment by Geert Hendrickx (ghen) - Saturday, 22 August 2020, 21:47 GMT
I'm intending to get rid of inetutils, not to fix it. ;-)

Only `hostname` is still in actual use (eg. by xorg-xinit, mariadb, and a few others), so it should be provided by another package.
The gettext implementation is a good candidate, as it's already installed anyway (I just symlinked it in place to satisfy xorg-xinit).
Comment by Geert Hendrickx (ghen) - Friday, 09 April 2021, 19:02 GMT
For information in this bugreport, I submitted patches to various upstream packages to replace their `hostname` calls by `uname -n` (as `hostname` is not defined by POSIX, but `uname -n` is), and thus drop the inetutils dependency.

So inetutils should become less relevant in Arch, and not implicitly installed by default on most systems anymore.
Comment by loqs (loqs) - Tuesday, 08 June 2021, 00:29 GMT
@ghen can you please have a look at https://bugs.archlinux.org/task/45903#comment200128 to coordinate which upstreams have already been contacted.

Specifically I am interested in if you have contacted upstream:
metasploit
pcp
rabbitmq
x2goserver

I noticed you did testssl.sh but left a call in utils/docker-nginx.tls13-earlydata.start.sh ?

Loading...