Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package telnet for openSUSE:Factory checked in at 2022-10-22 14:12:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/telnet (Old) and /work/SRC/openSUSE:Factory/.telnet.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "telnet" Sat Oct 22 14:12:39 2022 rev:33 rq:1030433 version:1.2 Changes: -------- --- /work/SRC/openSUSE:Factory/telnet/telnet.changes 2021-12-18 20:29:23.930214315 +0100 +++ /work/SRC/openSUSE:Factory/.telnet.new.2275/telnet.changes 2022-10-22 14:13:13.632757929 +0200 @@ -1,0 +2,7 @@ +Fri Oct 21 14:47:08 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com> + +- Fix CVE-2022-39028, NULL pointer dereference in telnetd + (CVE-2022-39028, bsc#1203759) + CVE-2022-39028.patch + +------------------------------------------------------------------- New: ---- CVE-2022-39028.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ telnet.spec ++++++ --- /var/tmp/diff_new_pack.f4526y/_old 2022-10-22 14:13:14.476759929 +0200 +++ /var/tmp/diff_new_pack.f4526y/_new 2022-10-22 14:13:14.480759939 +0200 @@ -1,7 +1,7 @@ # # spec file for package telnet # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -34,6 +34,9 @@ Patch4: telnet-bsd-1.2-hostalias.patch #PATCH-FIX-UPSTREAM bnc#898481 kstreitova@suse.com -- fix the infinite loop consumes an entire CPU Patch5: telnet-bsd-1.2-fix-infinite-loop.patch +# PATCH-FIX-SECURITY bsc#1203759 danilo.spinella@suse.com CVE-2022-39028 +# NULL pointer dereference in telnetd +Patch6: CVE-2022-39028.patch BuildRequires: ncurses-devel BuildRequires: systemd-rpm-macros Provides: nkitb:%{_bindir}/telnet @@ -68,6 +71,7 @@ %patch3 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %build export CFLAGS="%{optflags} -fpie $(ncurses6-config --cflags)" ++++++ CVE-2022-39028.patch ++++++ Description: Fix remote DoS vulnerability in inetutils-telnetd This is caused by a crash by a NULL pointer dereference when sending the byte sequences ��0xff 0xf7�� or ��0xff 0xf8��. Authors: Pierre Kim (original patch), Alexandre Torres (original patch), Erik Auerswald <auerswal@unix-ag.uni-kl.de> (adapted patch), Reviewed-by: Erik Auerswald <auerswal@unix-ag.uni-kl.de> Origin: upstream Ref: https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnet... Forwarded: https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html Last-Update: 2022-08-28 diff --git a/telnetd/state.c b/telnetd/state.c index ffc6cbaf..c2d760f8 100644 --- a/telnetd/state.c +++ b/telnetd/state.c @@ -185,16 +185,22 @@ telrcv (void) case EC: case EL: { - cc_t ch; + cc_t ch = (cc_t) (_POSIX_VDISABLE); DIAG(TD_OPTIONS, printoption("td: recv IAC", c)); ptyflush(); /* half-hearted */ init_termbuf(); if (c == EC) - ch = *slctab[SLC_EC].sptr; + { + if (slctab[SLC_EC].sptr) + ch = *slctab[SLC_EC].sptr; + } else - ch = *slctab[SLC_EL].sptr; + { + if (slctab[SLC_EL].sptr) + ch = *slctab[SLC_EL].sptr; + } if (ch != (cc_t)(_POSIX_VDISABLE)) *pfrontp++ = (unsigned char)ch; break;