Description: "utility.c in telnetd in netkit telnet through 0.17 allows remote attackers to execute arbitrary code via short writes or urgent data, because of a buffer overflow involving the netclear and nextitem functions." This is not a particularly easy bug to figure out if we're affected by: * Original write-up/disclosure: https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html * Debian have not updated their patchset since a long while before that release (patch set 41 is from 2016/11/21, which we're on) * Debian's latest bump [0] 0.17-41.2 does not seem to have relevant chances * A PoC [1] on Debian Buster amd64 in a VM did NOT work, but this does not mean Debian is necessarily immune. I will try to dig into the writeup referenced to see if we're affected. For now, given there is no fix, we're waiting on upstream anyway. [0] https://tracker.debian.org/news/1032832/accepted-netkit-telnet-017-412-source-into-unstable/ [1] https://www.exploit-db.com/exploits/48170
Needs confirmation.
Debian links to keep an eye on: * https://security-tracker.debian.org/tracker/CVE-2020-10188 * https://security-tracker.debian.org/tracker/source-package/netkit-telnet (general)
Since we use the same patchset that Debian uses we are then not affected by this bug.
(In reply to Paolo Pedroni from comment #3) > Since we use the same patchset that Debian uses we are then not affected by > this bug. Right, it looks now like it's been fixed for a while: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953477 This is Fedora's patch but it looks like we don't need it: https://src.fedoraproject.org/rpms/telnet/raw/master/f/telnet-0.17-overflow-exploit.patch I'll close this given Debian's not affected. Thank you.