[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd
From: |
Guillem Jover |
Subject: |
Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV) |
Date: |
Wed, 7 Sep 2022 22:20:30 +0200 |
[ Resending with To trimmed. ]
Hi!
On Tue, 2022-08-30 at 22:57:51 +0200, Guillem Jover wrote:
> On Sun, 2022-08-28 at 14:40:44 +0200, Erik Auerswald wrote:
> > On Sat, Aug 27, 2022 at 07:37:15PM +0200, Erik Auerswald wrote:
> > > someone has described a remote DoS vulnerability in
> > > many telnetd implementations that I just happened to
> > > stumble over:
> > >
> > > https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
> > >
> > > The vulnerability is a NULL pointer dereference when
> > > reading either of two two byte sequences:
> > >
> > > 1: 0xff 0xf7
> > > 2: 0xff 0xf8
> > >
> > > The blog shows GNU Inetutils' telnetd as vulnerable:
> > >
> > > https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html#remote-dos-inetutils
>
> This has been assigned CVE-2022-39028 (I think from the Debian pool),
> after I reported it to the Debian security team.
While it might have been nice to get this in the commit message, I
think it would still be nice to add a reference in the NEWS. :)
> > > [...]
> > > In GNU Inetutils, the code lines to dereference table
> > > entries without first checking for NULL are in lines
> > > 321 and 323 of file "telnetd/state.c". The variable
> > > "ch" declared in line 315 of this file needs to be
> > > initialized to "(cc_t) (_POSIX_VDISABLE)", because it
> > > may not be assigned any value if the table is not yet
> > > initialized.
> > >
> > > References:
> > >
> > > line 315:
> > > https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n315
> > > line 321:
> > > https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n321
> > > line 323:
> > > https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n323
> > >
> > > I have attached a completely untested, not even compile
> > > tested, patch to do this (just the code changes, no NEWS
> > > or commit log or anything). Please test before committing.
> >
> > I have tested the patch now, it compiles and prevents the
> > crash by preventing the NULL pointer dereference.
>
> Thanks, I included this the other day in an upload to Debian sid, and
> I'm preparing updates for the Debian stable and oldstable releases too.
Thanks,
Guillem
- Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV),
Guillem Jover <=