This vulnerability has been published in 2001 but does not seem to be fixed in the current ebuild: CVE-2001-0554: "Buffer overflow in BSD-based telnetd telnet daemon on various operating systems allows remote attackers to execute arbitrary commands via a set of options including AYT (Are You There), which is not properly handled by the telrcv function." http://www.securityfocus.com/bid/3064 (especially: http://www.securityfocus.com/archive/1/203000/2004-09-16/2004-09-22/2 ) RH and Debian seem to have substituted netoprintf() _____________________________________________________________________________ And a Debian bug report from August: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=264846 [...] Although this should never actually happen, if you set your environment variable HOME to an extremely large string a buffer overflow will occur upon connecting to a server using telnet. I was not able to overwrite 'eip' but I have included a patch that fixes this problem. [...] This has been patched in the latest Debian release.
Created attachment 39916 [details, diff] Debian patchset Full set of patches to orig from Debian the first vulnerability seems to be addressed by a new netoprintf() which is patched into ext.h and utility.c afaict
Created attachment 39917 [details, diff] one of the RH patches RH uses a new function instead of netoprintf() too btw... the RH set of patches consist of 7 files in total, someone might want to check what else is getting patched there when there is time
seemant you committed the last ebuild and there is no metadata.xml. Please confirm and apply the patch as necessary.
Ok.. this is not a fun one to solve here. Patch #2 (RH) makes things simple but I'm seeing what could be format string problems all over the place. Patch #1 (DEB) is clearly superior to what we have in portage but fails to even compile for me using a modern compiler. ---------------------------------------------------------------------------------- Requesting assistance from our gcc-porting team. gcc-porting can you please look into making patch #1 (DEB) work on a gentoo ASAP so this security bug can be resolved. - thanks in advance
gcc-porting/solar, did you have any luck in figuring this out yet? Since one of the vulnerabilities is pretty old and not a light one, it would be good to have it patched soon.
hi, try the following: --start-patch-- diff -Naur ./netkit-telnet-0.17_orig/telnetd/utility.c ./netkit-telnet-0.17/telnetd/utility.c --- ./netkit-telnet-0.17_orig/telnetd/utility.c 2004-09-24 17:49:10.728813640 +0200 +++ ./netkit-telnet-0.17/telnetd/utility.c 2004-09-24 17:50:19.837307552 +0200 @@ -37,6 +37,9 @@ char util_rcsid[] = "$Id: utility.c,v 1.11 1999/12/12 14:59:45 dholland Exp $"; +#define _GNU_SOURCE +#include <stdio.h> + #define PRINTOPTIONS #include <stdarg.h> --end-patch-- unfortunately this funct() isn't documented... ;-) so i'm not sure, if it will compile on all glibc versions out there... best regards rootshell
Created attachment 40532 [details, diff] fixed debian patch hi, as solar said: the debian patch is 'clearly superior' to what's currently in portage. so i left most of it in. in fact, i removed only debian specific stuff. compiler fix is already included. according to Changelog: ... 05 Apr 2002; G.Bevin <gbevin@gentoo.org> netkit-telnetd-0.17-r2.ebuil, files/netkit-telnetd-0.17-gentoo.patch files/digest-netkit-telnetd-0.17-r2 : Global fixes to makefile inclusion and library linkage to make it compile with gcc3. ... ...the current gentoo.patch is now unneeded with this modified debian patch. so please test, stabilize, report bugs - as always... ;-) best regards florian
seems to compile and work when changing -DLOGIN_WRAPPER=\"/usr/lib/telnetlogin\" to -DLOGIN_WRAPPER=\"/usr/sbin/telnetlogin\" in the patch Although I'm not sure if it is wise to apply such a big patch, which includes more than just fixes to the vulnerability. This package is definately missing a maintainer.
Created attachment 40748 [details, diff] telnetd/Makefile patch add this patch to solar's -r4 ebuild using the big debian patch and gcc3.4 will be happy
Thanks. netkit-telnetd-0.17-r4.ebuild added to the tree. KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~hppa ~amd64 ~ppc64" We now pull patch source directly from http://ftp.debian.org/debian/pool/main/n/netkit-telnet/netkit-telnet_0.17-26.diff.gz With 1 additional patch provided from comment #8 and comment #9 I skipped the patch from comment #7 (thanks anyway) Installed package data appears as (FEATURES="nodoc noinfo") ------------------------------------------------------------------------------- /usr/bin/telnet /usr/sbin/telnetd /usr/sbin/in.telnetd /usr/sbin/telnetlogin /usr/share/man/man1/telnet.1.gz /usr/share/man/man8/telnetd.8.gz /usr/share/man/man8/in.telnetd.8.gz /usr/share/man/man8/telnetlogin.8.gz /usr/share/man/man5/issue.net.5.gz /etc/xinetd.d/telnetd ------------------------------------------------------------------------------- I've added a metadata.xml and added myself as the interim maintainer. If anybody else want's this please by all means assume it. As this is has many changes I suggest you test it well before marking stable on any arches.
Arches, please test carefullly and mark stable.
solar, since the ebuild does "dosbin telnetlogin/telnetlogin || die", the patch should have -DLOGIN_WRAPPER=\"/usr/sbin/telnetlogin\" instead of -DLOGIN_WRAPPER=\"/usr/lib/telnetlogin\ otherwise you would have to specify the login programm with the -L option to telnetd
ack, that's what i've seen testing here, telnetd won't work out of the box otherwise.
Created attachment 40779 [details, diff] slightly patched patch ;-) new patch wrt comment #12
going back to ebuild status sorry for the noise, but we will be back ;-)
Created attachment 40781 [details, diff] security only patch hi, as the debian patch not only introduces security fixes, but also has many new (and cool) features, i have attached a patch, that fixes _only_ the security issues. i have derived the patch from the slackware ayt patch, gentoo patch is included, home problem also fixed. (without new features) !!! so eventually you want this patch mark stable for a month or so, then bump to the debianized version. one personal note: if gentoo decides to adopt the debian patchset, it would be good practice, to ask the current debian maintainer... ;-) there are about 2 years of work in this patch... best regards florian [rootshell]
Could someone please have a look at comments 12, 13, 14 and correct the patch?
update patch from comment #14 - skipping patch form comment #16 as I'm not interested in having a limping along telnetd. Normally we don't add features and secuirty patches at the same time. But seeing as this package has no maintainer and I've accepted being the temp maintainer this is how I just assume maintain this package. I'd rather be taking advantage of those two years of QA, security fixes and features deb has put into it. Thanks anyway for patch from comment #16 If however problems arise while stabilizing this one then one of the arch dev can try your patch, but he/she will have to accept becoming the maintainer of this ebuild.
Back to business... Arches: please test carefully and eventually mark stable.
stabke on ppc
Stable on alpha.
stable on sparc.
Stable on mips.
stable on x86
Debian just issued : http://www.debian.org/security/2004/dsa-556 "Michal Zalewski discovered a bug in the netkit-telnet server (telnetd) whereby a remote attacker could cause the telnetd process to free an invalid pointer. This causes the telnet server process to crash, leading to a straightforward denial of service (inetd will disable the service if telnetd is crashed repeatedly), or possibly the execution of arbitrary code with the privileges of the telnetd process (by default, the 'telnetd' user)." This is CAN-2004-0911. Apparently what we use (0.17-26) should have the fix in, please doublecheck.
http://packages.qa.debian.org/n/netkit-telnet.html
It appears that the latest vulnerability (comment #25) is Debian specific and was introduced by their earlier patches. Since we used -26 right away, we were not vulnerable to this one. I guess there were "just" the AYT and HOME buffer overflows for us.
stable on amd64
Generating MCONFIG... (cd telnet && make) make[1]: Entering directory `/mnt/portage/tmp/portage/netkit-telnetd-0.17-r4/work/netkit-telnet-0.17/telnet' g++ -march=i686 -O3 -march=i686 -O3 -pipe -fno-rtti -fno-exceptions -Wall -Wno-trigraphs -DUSE_TERMIO -DKLUDGELINEMODE commands.cc -c commands.cc: In function `void cmdrc(const char *, const char *, const char *)': commands.cc:2147: implicit declaration of function `int asprintf(...)' make[1]: *** [commands.o] Error 1 make[1]: Leaving directory `/mnt/portage/tmp/portage/netkit-telnetd-0.17-r4/work/netkit-telnet-0.17/telnet' make: *** [telnet.build] Error 2 !!! ERROR: net-misc/netkit-telnetd-0.17-r4 failed. !!! Function src_compile, Line 51, Exitcode 2 !!! (no error message) Portage 2.0.50-r11 (default-1.0, gcc-2.95.3, glibc-2.2.5-r9, 2.6.7-gentoo-r14) 0.17-r3 installed successfuly so it has to be something with this new patch
GLSA 200410-03 hppa, ppc64, don't forget to mark stable to benefit from GLSA.
stable on ppc64, thanks!
solar@simple netkit-telnetd $ date -u Mon Nov 1 21:35:59 UTC 2004 solar@simple netkit-telnetd $ cvs diff netkit-telnetd-0.17-r4.ebuild solar@simple netkit-telnetd $ diff -rup netkit-telnetd-0.17-r3.ebuild netkit-telnetd-0.17-r4.ebuild --- netkit-telnetd-0.17-r3.ebuild 2004-11-01 16:32:50.000000000 -0500 +++ netkit-telnetd-0.17-r4.ebuild 2004-11-01 16:32:50.000000000 -0500 @@ -1,16 +1,18 @@ # Copyright 1999-2004 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/netkit-telnetd/netkit-telnetd-0.17-r3.ebuild,v 1.25 2004/06/29 00:16:46 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/netkit-telnetd/netkit-telnetd-0.17-r4.ebuild,v 1.8 2004/10/06 15:37:55 gmsoft Exp $ inherit eutils +PATCHLEVEL=26 DESCRIPTION="Standard Linux telnet client and server" HOMEPAGE="ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/" -SRC_URI="ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/netkit-telnet-${PV}.tar.gz" +SRC_URI="ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/netkit-telnet-${PV}.tar.gz + http://ftp.debian.org/debian/pool/main/n/netkit-telnet/netkit-telnet_0.17-${PATCHLEVEL}.diff.gz" LICENSE="BSD" SLOT="0" -KEYWORDS="x86 ppc sparc mips alpha hppa amd64 ppc64" +KEYWORDS="x86 ppc sparc mips alpha hppa amd64 ~ppc64" IUSE="build" DEPEND=">=sys-libs/ncurses-5.2 @@ -21,7 +23,21 @@ S=${WORKDIR}/netkit-telnet-${PV} src_unpack() { unpack ${A} cd ${S} - epatch ${FILESDIR}/netkit-telnetd-0.17-gentoo.patch + # Patch: [0] + # Gentoo lacks a maintainer for this package right now. And a + # security problem arose. While reviewing our options for how + # should we proceed with the security bug we decided it would be + # better to just stay in sync with debian's own netkit-telnet + # package. Lots of bug fixes by them over time which were not in + # our telnetd. + epatch ${WORKDIR}/netkit-telnet_0.17-${PATCHLEVEL}.diff || die + + # Patch: [1] + # after the deb patch we need to add a small patch that defines + # gnu source. This is needed for gcc-3.4.x (needs to be pushed + # back to the deb folk?) + epatch ${FILESDIR}/netkit-telnetd-0.17-cflags-gnu_source.patch \ + || die } src_compile() { solar@simple netkit-telnetd $ grep KEYWORDS= * netkit-telnetd-0.17-r3.ebuild:KEYWORDS="x86 ppc sparc mips alpha hppa amd64 ppc64" netkit-telnetd-0.17-r4.ebuild:KEYWORDS="x86 ppc sparc mips alpha hppa amd64 ~ppc64" --------------------------------------------------------- ppc64 is not stable revision is 1.8 and never could have been. 1.1 iniital ebuild 1.2 x86 1.3 ppc 1.4 sparc 1.5 mips 1.6 alpha 1.7 hppa 1.8 amd64 (1.2 - 1.8 are out of order but..) ppc64 - Please mark -r4 stable I have to add a small update to add for gcc-2.x from bug #68679
tested and commited on ppc64. Markus
Closing again :)
removing ppc64 from cc list