Bug 711746 (CVE-2020-10188)

Summary:	net-misc/netkit-telnetd: Possible RCE via 'netclear' and 'nextitem' functions (CVE-2020-10188)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal	CC:	paolo.pedroni, proxy-maint
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html
Whiteboard:	B2 [upstream/ebuild cve]
Package list:		Runtime testing required:	---

Description Sam James archtester

2020-03-06 21:50:55 UTC

Description:
"utility.c in telnetd in netkit telnet through 0.17 allows remote attackers to execute arbitrary code via short writes or urgent data, because of a buffer overflow involving the netclear and nextitem functions."

This is not a particularly easy bug to figure out if we're affected by:
* Original write-up/disclosure: https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html
* Debian have not updated their patchset since a long while before that release (patch set 41 is from 2016/11/21, which we're on)
* Debian's latest bump [0] 0.17-41.2 does not seem to have relevant chances
* A PoC [1] on Debian Buster amd64 in a VM did NOT work, but this does not mean Debian is necessarily immune.

I will try to dig into the writeup referenced to see if we're affected. For now, given there is no fix, we're waiting on upstream anyway.

[0] https://tracker.debian.org/news/1032832/accepted-netkit-telnet-017-412-source-into-unstable/
[1] https://www.exploit-db.com/exploits/48170

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-08 00:48:03 UTC

Needs confirmation.

Comment 2 Sam James archtester

2020-03-08 21:33:03 UTC

Debian links to keep an eye on:
* https://security-tracker.debian.org/tracker/CVE-2020-10188
* https://security-tracker.debian.org/tracker/source-package/netkit-telnet (general)

Comment 3 Paolo Pedroni 2020-04-17 07:13:35 UTC

Since we use the same patchset that Debian uses we are then not affected by this bug.

Comment 4 Sam James archtester

2020-04-17 16:02:17 UTC

(In reply to Paolo Pedroni from comment #3)
> Since we use the same patchset that Debian uses we are then not affected by
> this bug.

Right, it looks now like it's been fixed for a while:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953477

This is Fedora's patch but it looks like we don't need it:
https://src.fedoraproject.org/rpms/telnet/raw/master/f/telnet-0.17-overflow-exploit.patch

I'll close this given Debian's not affected. Thank you.