bug-inetutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 3/3] telnet: Avoid command evaluation crashes.

From: Erik Auerswald
Subject: Re: [PATCH 3/3] telnet: Avoid command evaluation crashes.
Date: Sat, 3 Sep 2022 19:07:52 +0200 
Hello Simon,

On Sat, Sep 03, 2022 at 05:39:45PM +0200, Simon Josefsson wrote:
> Erik Auerswald <auerswal@unix-ag.uni-kl.de> writes:
> 
> >>  Please test commit access by pushing the patch, after writing
> >> a suitable NEWS entry.
> >
> > I have just committed and pushed the telnetd crash fix patch[1],
> > including a NEWS entry.
> >
> > [1] https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html
> 
> Looks great!

Thanks! :-)

> [...]
> did you notice some fuzzing report that wasn't fixed?

I think the following reports have not yet been addressed:

* Problems found in ftp (the code did not change since the reports):

  * Untrusted Pointer Dereference in domacro() at inetutils/ftp/domacro.c:186
    https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00003.html
    (https://savannah.gnu.org/bugs/?61722)

  * Infinite Loop in domacro at domacro.c:258
    https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00005.html
    https://savannah.gnu.org/bugs/?61724
    https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00008.html

  * A heap-buffer-overflow in another () at cmds.c:202
    https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00016.html

  * NULL Pointer Dereference in setnmap() at cmds.c:2303
    https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00004.html
    https://savannah.gnu.org/bugs/?61723
    https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00013.html

* Problems found in tftp (the code did not change since the report):

  * Untrusted Pointer Dereference in getcmd() at inetutils/src/tftp.c:878
    https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00018.html

At first glance the above problems might be caused by feeding unexpected
input to the ftp and tftp clients.

AFAIK the other fuzzer-based crash reports have already been addressed
before the release of GNU Inetutils 2.3:

* I think you addressed the following two reports:

  * Heap-based Buffer Overflow in logger
    https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00015.html
    (see git commit 8e0df0e80b156a09ff361050bac38bbdcda03aef)

  * Memory leak in ifconfig
    https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00014.html
    (see git commit 6599d2be88c4e44ef88470aef16bf10bd7d67884)

  [ I did not analyze the above two bug reports or the commits intended ]
  [ to fix the issues.  I just assume that they are addressed based on  ]
  [ the commit log.  :-)                                                ]

* My patches should have addressed all the reports pertaining to telnet:

  * NULL Pointer Dereference in setcmd () at commands.c:1152
    https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00017.html

  * NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227
    https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00007.html
    https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00011.html

  * NULL Pointer Dereference in help() at inetutils/telnet/commands.c:3094
    https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00006.html
    https://savannah.gnu.org/bugs/?61725
    https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00009.html
    https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00012.html

> I have a re-implementation of 'arp' that belongs in inetutils, maybe I
> should finally add it...

I have no objections. ;-)

Thanks,
Erik
reply via email to
[Prev in Thread] Current Thread [Next in Thread]