[ASA-202106-20] inetutils: arbitrary code execution

Jonas Witschel diabonas at archlinux.org
Fri Jun 11 15:58:19 UTC 2021 

Arch Linux Security Advisory ASA-202106-20
==========================================

Severity: High
Date    : 2021-06-09
CVE-ID  : CVE-2019-0053 CVE-2020-10188
Package : inetutils
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1003

Summary
=======

The package inetutils before version 2.0-1 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 2.0-1.

# pacman -Syu "inetutils>=2.0-1"

The problems have been fixed upstream in version 2.0.

Workaround
==========

None.

Description
===========

- CVE-2019-0053 (arbitrary code execution)

inetutils before version 1.9.4.90 contains a stack overflow
vulnerability in the client-side environment variable handling which
can be exploited to escape restricted shells on embedded devices. A
stack-based overflow is present in the handling of environment
variables when connecting  telnet.c to remote telnet servers through
oversized DISPLAY arguments.

- CVE-2020-10188 (arbitrary code execution)

A vulnerability was found in inetutils before version 1.9.4.91 where
incorrect bounds checks in the telnet server’s (telnetd) handling of
short writes and urgent data could lead to information disclosure and
corruption of heap data. An unauthenticated remote attacker could
exploit these bugs by sending specially crafted telnet packets to
achieve arbitrary code execution in the telnet server.

Impact
======

Requesting environment variables with crafted contents could lead to
arbitrary code execution in a telnet client. Additionally an
unauthenticated remote attacker could execute arbitrary code on a
telnet server via crafted packets.

References
==========

https://bugs.archlinux.org/task/70040
https://raw.githubusercontent.com/hackerhouse-opensource/exploits/master/inetutils-telnet.txt
https://git.savannah.gnu.org/gitweb/?p=inetutils.git;a=commitdiff;h=1480573a908254662074865406ac6fbde4694e5d
https://git.savannah.gnu.org/gitweb/?p=inetutils.git;a=commitdiff;h=07fdb4201a3a5e6df92c0929c65671ce4ba8af5a
https://bugzilla.redhat.com/show_bug.cgi?id=1811673
https://git.savannah.gnu.org/gitweb/?p=inetutils.git;a=commitdiff;h=cd7e7e685daeafb68f19347747af6340731a4518
https://security.archlinux.org/CVE-2019-0053
https://security.archlinux.org/CVE-2020-10188
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20210611/2af09779/attachment.sig>

More information about the arch-security mailing list