telnet: fix CVE-2020-10188

2020-04-27 17:36:24 +08:00 · 2020-04-27 17:36:24 +08:00 · 7286d8a876
commit 7286d8a876
parent 211b6c9c33
2 changed files with 105 additions and 1 deletions
--- a/CVE-2020-10188.patch
+++ b/CVE-2020-10188.patch
@ -0,0 +1,97 @@
 diff --git a/telnetd/utility.c b/telnetd/utility.c
 index 82edee5..514ec19 100644
 --- a/telnetd/utility.c
 +++ b/telnetd/utility.c
@@ -219,31 +219,38 @@ void 	ptyflush(void)
  */
 static
 char *
 -nextitem(char *current)
 +nextitem(char *current, const char *endp)
 {
 +    if (current >= endp) {
 +        return NULL;
 +    }
     if ((*current&0xff) != IAC) {
 	return current+1;
     }
 +    if (current+1 >= endp) {
 +        return NULL;
 +    }
     switch (*(current+1)&0xff) {
     case DO:
     case DONT:
     case WILL:
     case WONT:
 -	return current+3;
 +	return current+3 <= endp ? current+3 : NULL;
     case SB:		/* loop forever looking for the SE */
 	{
 	    register char *look = current+2;
 -	    for (;;) {
 +	    while (look < endp) {
 		if ((*look++&0xff) == IAC) {
 -		    if ((*look++&0xff) == SE) {
 +		    if (look < endp && (*look++&0xff) == SE) {
 			return look;
 		    }
 		}
 	    }
 +	    return NULL;
 	}
     default:
 -	return current+2;
 +	return current+2 <= endp ? current+2 : NULL;
     }
 }  /* end of nextitem */
@@ -269,7 +276,7 @@ void netclear(void)
     register char *thisitem, *next;
     char *good;
 #define	wewant(p)	((nfrontp > p) && ((*p&0xff) == IAC) && \
 -				((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
 +				(nfrontp > p+1 && (((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))))
 #if	defined(ENCRYPT)
     thisitem = nclearto > netobuf ? nclearto : netobuf;
@@ -277,7 +284,7 @@ void netclear(void)
     thisitem = netobuf;
 #endif
 -    while ((next = nextitem(thisitem)) <= nbackp) {
 +    while ((next = nextitem(thisitem, nbackp)) != NULL && next <= nbackp) {
 	thisitem = next;
     }
@@ -289,20 +296,23 @@ void netclear(void)
     good = netobuf;	/* where the good bytes go */
 #endif
 -    while (nfrontp > thisitem) {
 +    while (thisitem != NULL && nfrontp > thisitem) {
 	if (wewant(thisitem)) {
 	    int length;
 	    next = thisitem;
 	    do {
 -		next = nextitem(next);
 -	    } while (wewant(next) && (nfrontp > next));
 +		next = nextitem(next, nfrontp);
 +	    } while (next != NULL && wewant(next) && (nfrontp > next));
 +	    if (next == NULL) {
 +		next = nfrontp;
 +	    }
 	    length = next-thisitem;
 	    bcopy(thisitem, good, length);
 	    good += length;
 	    thisitem = next;
 	} else {
 -	    thisitem = nextitem(thisitem);
 +	    thisitem = nextitem(thisitem, nfrontp);
 	}
     }
 -- 
 1.8.3.1
--- a/telnet.spec
+++ b/telnet.spec
@ -1,7 +1,7 @@
 Name:             telnet
 Epoch:            1
 Version:          0.17
-Release:          75
+Release:          76
 Summary:          Client and Server programs for the Telnet communication protocol
 License:          BSD
 Url:              http://web.archive.org/web/20070819111735/www.hcs.harvard.edu/~dholland/computers/old-netkit.html
@ -38,6 +38,7 @@ Patch0023:        netkit-telnet-0.17-core-dump.patch
 Patch0024:        netkit-telnet-0.17-gcc7.patch
 Patch0025:        netkit-telnet-0.17-manpage.patch
 Patch0026:        netkit-telnet-0.17-telnetrc.patch
 Patch0027:        CVE-2020-10188.patch
 BuildRequires:    gcc-c++ ncurses-devel systemd
 Requires:         systemd
@ -101,5 +102,11 @@ install -pm644 %{SOURCE3} %{buildroot}%{_unitdir}/telnet.socket
 %{_mandir}/man1/telnet.1*
 %changelog
 * Mon Apr 27 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:0.17-76
 - Type:cves
 - ID:CVE-2020-10188
 - SUG:restart
 - DESC:fix CVE-2020-10188
 * Sat Sep 14 2019 huzhiyu<huzhiyu1@huawei.com> - 1:0.17-75
 - Package init