!1 fix CVE-2020-10188

Merge pull request !1 from Vchanger/master
2020-05-06 17:04:31 +08:00 · 2020-05-06 17:04:31 +08:00 · 2d248d52ba
commit 2d248d52ba
parent 211b6c9c33 7286d8a876
2 changed files with 105 additions and 1 deletions
--- a/CVE-2020-10188.patch
+++ b/CVE-2020-10188.patch
@ -0,0 +1,97 @@
+diff --git a/telnetd/utility.c b/telnetd/utility.c
+index 82edee5..514ec19 100644
+--- a/telnetd/utility.c
+++ b/telnetd/utility.c
+@@ -219,31 +219,38 @@ void 	ptyflush(void)
+  */
+ static
+ char *
+-nextitem(char *current)
+nextitem(char *current, const char *endp)
+ {
+    if (current >= endp) {
+        return NULL;
+    }
+     if ((*current&0xff) != IAC) {
+ 	return current+1;
+     }
+    if (current+1 >= endp) {
+        return NULL;
+    }
+     switch (*(current+1)&0xff) {
+     case DO:
+     case DONT:
+     case WILL:
+     case WONT:
+-	return current+3;
+	return current+3 <= endp ? current+3 : NULL;
+     case SB:		/* loop forever looking for the SE */
+ 	{
+ 	    register char *look = current+2;
+ 
+-	    for (;;) {
+	    while (look < endp) {
+ 		if ((*look++&0xff) == IAC) {
+-		    if ((*look++&0xff) == SE) {
+		    if (look < endp && (*look++&0xff) == SE) {
+ 			return look;
+ 		    }
+ 		}
+ 	    }
+	    return NULL;
+ 	}
+     default:
+-	return current+2;
+	return current+2 <= endp ? current+2 : NULL;
+     }
+ }  /* end of nextitem */
+ 
+@@ -269,7 +276,7 @@ void netclear(void)
+     register char *thisitem, *next;
+     char *good;
+ #define	wewant(p)	((nfrontp > p) && ((*p&0xff) == IAC) && \
+-				((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
+				(nfrontp > p+1 && (((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))))
+ 
+ #if	defined(ENCRYPT)
+     thisitem = nclearto > netobuf ? nclearto : netobuf;
+@@ -277,7 +284,7 @@ void netclear(void)
+     thisitem = netobuf;
+ #endif
+ 
+-    while ((next = nextitem(thisitem)) <= nbackp) {
+    while ((next = nextitem(thisitem, nbackp)) != NULL && next <= nbackp) {
+ 	thisitem = next;
+     }
+ 
+@@ -289,20 +296,23 @@ void netclear(void)
+     good = netobuf;	/* where the good bytes go */
+ #endif
+ 
+-    while (nfrontp > thisitem) {
+    while (thisitem != NULL && nfrontp > thisitem) {
+ 	if (wewant(thisitem)) {
+ 	    int length;
+ 
+ 	    next = thisitem;
+ 	    do {
+-		next = nextitem(next);
+-	    } while (wewant(next) && (nfrontp > next));
+		next = nextitem(next, nfrontp);
+	    } while (next != NULL && wewant(next) && (nfrontp > next));
+	    if (next == NULL) {
+		next = nfrontp;
+	    }
+ 	    length = next-thisitem;
+ 	    bcopy(thisitem, good, length);
+ 	    good += length;
+ 	    thisitem = next;
+ 	} else {
+-	    thisitem = nextitem(thisitem);
+	    thisitem = nextitem(thisitem, nfrontp);
+ 	}
+     }
+ 
+-- 
+1.8.3.1
+
--- a/telnet.spec
+++ b/telnet.spec
@ -1,7 +1,7 @@
 Name:             telnet
 Epoch:            1
 Version:          0.17
-Release:          75
+Release:          76
 Summary:          Client and Server programs for the Telnet communication protocol
 License:          BSD
 Url:              http://web.archive.org/web/20070819111735/www.hcs.harvard.edu/~dholland/computers/old-netkit.html
@ -38,6 +38,7 @@ Patch0023:        netkit-telnet-0.17-core-dump.patch
 Patch0024:        netkit-telnet-0.17-gcc7.patch
 Patch0025:        netkit-telnet-0.17-manpage.patch
 Patch0026:        netkit-telnet-0.17-telnetrc.patch
+Patch0027:        CVE-2020-10188.patch

 BuildRequires:    gcc-c++ ncurses-devel systemd
 Requires:         systemd
@ -101,5 +102,11 @@ install -pm644 %{SOURCE3} %{buildroot}%{_unitdir}/telnet.socket
 %{_mandir}/man1/telnet.1*

 %changelog
+* Mon Apr 27 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:0.17-76
+- Type:cves
+- ID:CVE-2020-10188
+- SUG:restart
+- DESC:fix CVE-2020-10188
+
 * Sat Sep 14 2019 huzhiyu<huzhiyu1@huawei.com> - 1:0.17-75
 - Package init