Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd

bug-inetutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd

From:	Guillem Jover
Subject:	Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV)
Date:	Tue, 30 Aug 2022 22:57:51 +0200

Hi!

On Sun, 2022-08-28 at 14:40:44 +0200, Erik Auerswald wrote:
> On Sat, Aug 27, 2022 at 07:37:15PM +0200, Erik Auerswald wrote:
> > someone has described a remote DoS vulnerability in
> > many telnetd implementations that I just happened to
> > stumble over:
> > 
> > https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
> > 
> > The vulnerability is a NULL pointer dereference when
> > reading either of two two byte sequences:
> > 
> >     1: 0xff 0xf7
> >     2: 0xff 0xf8
> > 
> > The blog shows GNU Inetutils' telnetd as vulnerable:
> > 
> > https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html#remote-dos-inetutils

This has been assigned CVE-2022-39028 (I think from the Debian pool),
after I reported it to the Debian security team.

> > [...]
> > In GNU Inetutils, the code lines to dereference table
> > entries without first checking for NULL are in lines
> > 321 and 323 of file "telnetd/state.c".  The variable
> > "ch" declared in line 315 of this file needs to be
> > initialized to "(cc_t) (_POSIX_VDISABLE)", because it
> > may not be assigned any value if the table is not yet
> > initialized.
> > 
> > References:
> > 
> >     line 315: 
> > https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n315
> >     line 321: 
> > https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n321
> >     line 323: 
> > https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n323
> > 
> > I have attached a completely untested, not even compile
> > tested, patch to do this (just the code changes, no NEWS
> > or commit log or anything).  Please test before committing.
> 
> I have tested the patch now, it compiles and prevents the
> crash by preventing the NULL pointer dereference.

Thanks, I included this the other day in an upload to Debian sid, and
I'm preparing updates for the Debian stable and oldstable releases too.

Regards,
Guillem

[Prev in Thread]

Current Thread

[Next in Thread]

[BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV), Erik Auerswald, 2022/08/27
- Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV), Erik Auerswald, 2022/08/28
  - Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV), Simon Josefsson, 2022/08/30
    - Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV), Erik Auerswald, 2022/08/31
  - Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV), Guillem Jover <=

Prev by Date: Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV)
Next by Date: Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV)
Previous by thread: Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV)
Index(es):
- Date
- Thread