Arch Linux 811 Published by

An inetutils security update has been released for Arch Linux.



ASA-202106-20: inetutils: arbitrary code execution


Arch Linux Security Advisory ASA-202106-20
==========================================

Severity: High
Date : 2021-06-09
CVE-ID : CVE-2019-0053 CVE-2020-10188
Package : inetutils
Type : arbitrary code execution
Remote : Yes
Link :   https://security.archlinux.org/AVG-1003

Summary
=======

The package inetutils before version 2.0-1 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 2.0-1.

# pacman -Syu "inetutils>=2.0-1"

The problems have been fixed upstream in version 2.0.

Workaround
==========

None.

Description
===========

- CVE-2019-0053 (arbitrary code execution)

inetutils before version 1.9.4.90 contains a stack overflow
vulnerability in the client-side environment variable handling which
can be exploited to escape restricted shells on embedded devices. A
stack-based overflow is present in the handling of environment
variables when connecting telnet.c to remote telnet servers through
oversized DISPLAY arguments.

- CVE-2020-10188 (arbitrary code execution)

A vulnerability was found in inetutils before version 1.9.4.91 where
incorrect bounds checks in the telnet server’s (telnetd) handling of
short writes and urgent data could lead to information disclosure and
corruption of heap data. An unauthenticated remote attacker could
exploit these bugs by sending specially crafted telnet packets to
achieve arbitrary code execution in the telnet server.

Impact
======

Requesting environment variables with crafted contents could lead to
arbitrary code execution in a telnet client. Additionally an
unauthenticated remote attacker could execute arbitrary code on a
telnet server via crafted packets.

References
==========

  https://bugs.archlinux.org/task/70040
  https://raw.githubusercontent.com/hackerhouse-opensource/exploits/master/inetutils-telnet.txt
  https://git.savannah.gnu.org/gitweb/?p=inetutils.git;a=commitdiff;h=1480573a908254662074865406ac6fbde4694e5d
  https://git.savannah.gnu.org/gitweb/?p=inetutils.git;a=commitdiff;h=07fdb4201a3a5e6df92c0929c65671ce4ba8af5a
  https://bugzilla.redhat.com/show_bug.cgi?id=1811673
  https://git.savannah.gnu.org/gitweb/?p=inetutils.git;a=commitdiff;h=cd7e7e685daeafb68f19347747af6340731a4518
  https://security.archlinux.org/CVE-2019-0053
  https://security.archlinux.org/CVE-2020-10188