Patch for stack smashing buffer overflow

3 files changed, 187 insertions, 8 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 29045ef36ca6..49d872510e53 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,8 +1,8 @@
 # Generated by mksrcinfo v8
-# Thu May  4 02:14:23 UTC 2017
+# Tue Jul 11 18:42:59 UTC 2017
 pkgbase = inetutils-git
 	pkgdesc = A collection of common network programs
-	pkgver = 1.9.4.r25.g3d64a8c7
+	pkgver = 1.9.4.r38.g91960071
 	pkgrel = 1
 	url = http://www.gnu.org/software/inetutils/
 	install = inetutils.install
@@ -24,8 +24,9 @@ pkgbase = inetutils-git
 	backup = etc/xinetd.d/rsh
 	backup = etc/pam.d/rlogin
 	backup = etc/pam.d/rsh
-	source = git://git.savannah.gnu.org/inetutils.git#commit=3d64a8c7280e7d218c4b607aa25352be1d6c4ded
+	source = git://git.savannah.gnu.org/inetutils.git
 	source = git://git.sv.gnu.org/gnulib
+	source = 0001-telnetd-Fix-buffer-overflows.patch
 	source = ftpd.service::https://projects.archlinux.org/svntogit/packages.git/plain/trunk/ftpd.service?h=packages/inetutils
 	source = rlogin.pam::https://projects.archlinux.org/svntogit/packages.git/plain/trunk/rlogin.pam?h=packages/inetutils
 	source = rlogin@.service::https://projects.archlinux.org/svntogit/packages.git/plain/trunk/rlogin@.service?h=packages/inetutils
@@ -43,6 +44,7 @@ pkgbase = inetutils-git
 	source = telnet.xinetd::https://projects.archlinux.org/svntogit/packages.git/plain/trunk/telnet.xinetd?h=packages/inetutils
 	sha256sums = SKIP
 	sha256sums = SKIP
+	sha256sums = 1eacb0bdb4496f12e7a0593278aa4ae1eadf271a263bf27285acb1c03015c4de
 	sha256sums = f1b9b4e57f484070366444a649f1be151d01d5bc965b9b192c242e4b7cc4beeb
 	sha256sums = 428367b148033c7fa865e92bdd73b06cb58e6909488649adebf8d2253a022f1f
 	sha256sums = 6112bcdb595937a8c7940dc158a97fd48b8cce6526a9fb017f347f614b9d6548
diff --git a/0001-telnetd-Fix-buffer-overflows.patch b/0001-telnetd-Fix-buffer-overflows.patch
new file mode 100644
index 000000000000..5742a2c67c72
--- /dev/null
+++ b/0001-telnetd-Fix-buffer-overflows.patch
@@ -0,0 +1,172 @@
+From c4f1bc8e2e9e6303a33e1babfffafef9aa628c49 Mon Sep 17 00:00:00 2001
+From: Guillem Jover <guillem@hadrons.org>
+Date: Tue, 11 Jul 2017 12:22:41 +0200
+Subject: [PATCH] telnetd: Fix buffer overflows
+
+Increate the data buffers so that the terminating NUL fits. Use strlen
+instead of sizeof to cope with the buffers size increase and to make
+the code future-proof.
+---
+ ChangeLog          |  7 +++++++
+ telnetd/telnetd.c  |  6 +++---
+ telnetd/termstat.c | 34 +++++++++++++++++-----------------
+ 3 files changed, 27 insertions(+), 20 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index ea93a846..99157ea1 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,10 @@
++2017-07-11  Guillem Jover  <guillem@hadrons.org>
++
++	* telnetd/telnetd.c (telnetd_run): Increate the data buffer so that
++	the terminating NUL fits. Use strlen instead of sizeof to cope with
++	the buffer size increase and make the code future-proof.
++	* telnetd/termstat.c (localstat, flowstat, clientstat): Likewise.
++
+ 2017-07-10  Omer Anson <oaanson@gmail.com>  (tiny change)
+ 
+ 	* src/hostname.c (parse_file): Free name and allocate one extra
+diff --git a/telnetd/telnetd.c b/telnetd/telnetd.c
+index 5e13e23d..917a3355 100644
+--- a/telnetd/telnetd.c
++++ b/telnetd/telnetd.c
+@@ -706,15 +706,15 @@ telnetd_run (void)
+ 	      int newflow = (c & TIOCPKT_DOSTOP) ? 1 : 0;
+ 	      if (newflow != flowmode)
+ 		{
+-		  char data[6];
++		  char data[7];
+ 
+ 		  sprintf (data, "%c%c%c%c%c%c",
+ 			   IAC, SB, TELOPT_LFLOW,
+ 			   flowmode ? LFLOW_ON : LFLOW_OFF,
+ 			   IAC, SE);
+-		  net_output_datalen (data, sizeof (data));
++		  net_output_datalen (data, strlen (data));
+ 		  DEBUG (debug_options, 1,
+-			 printsub ('>', data + 2, sizeof (data) - 2));
++			 printsub ('>', data + 2, strlen (data) - 2));
+ 		}
+ 	    }
+ 
+diff --git a/telnetd/termstat.c b/telnetd/termstat.c
+index a3e37d03..167fff1e 100644
+--- a/telnetd/termstat.c
++++ b/telnetd/termstat.c
+@@ -306,7 +306,7 @@ localstat (void)
+ 	}
+       else if (lmodetype == REAL_LINEMODE)
+ 	{
+-	  char data[7];
++	  char data[8];
+ 
+ 	  send_do (TELOPT_LINEMODE, 1);
+ 	  /* send along edit modes */
+@@ -314,9 +314,9 @@ localstat (void)
+ 		   IAC, SB, TELOPT_LINEMODE,
+ 		   LM_MODE, useeditmode,
+ 		   IAC, SE);
+-	  net_output_datalen (data, sizeof (data));
++	  net_output_datalen (data, strlen (data));
+ 	  DEBUG (debug_options, 1,
+-		 printsub ('>', data + 2, sizeof (data) - 2));
++		 printsub ('>', data + 2, strlen (data) - 2));
+ 
+ 	  editmode = useeditmode;
+ 	}
+@@ -341,15 +341,15 @@ localstat (void)
+ 	  /*
+ 	   * Send along appropriate edit mode mask.
+ 	   */
+-	  char data[7];
++	  char data[8];
+ 
+ 	  sprintf (data, "%c%c%c%c%c%c%c",
+ 		   IAC, SB, TELOPT_LINEMODE,
+ 		   LM_MODE, useeditmode,
+ 		   IAC, SE);
+-	  net_output_datalen (data, sizeof (data));
++	  net_output_datalen (data, strlen (data));
+ 	  DEBUG (debug_options, 1,
+-		 printsub ('>', data + 2, sizeof (data) - 2));
++		 printsub ('>', data + 2, strlen (data) - 2));
+ 
+ 	  editmode = useeditmode;
+ 	}
+@@ -393,7 +393,7 @@ flowstat (void)
+ {
+   if (his_state_is_will (TELOPT_LFLOW))
+     {
+-      char data[6];
++      char data[7];
+ 
+       if (tty_flowmode () != flowmode)
+ 	{
+@@ -402,9 +402,9 @@ flowstat (void)
+ 		   IAC, SB, TELOPT_LFLOW,
+ 		   flowmode ? LFLOW_ON : LFLOW_OFF,
+ 		   IAC, SE);
+-	  net_output_datalen (data, sizeof (data));
++	  net_output_datalen (data, strlen (data));
+ 	  DEBUG (debug_options, 1,
+-		 printsub ('>', data + 2, sizeof (data) - 2));
++		 printsub ('>', data + 2, strlen (data) - 2));
+ 	}
+       if (tty_restartany () != restartany)
+ 	{
+@@ -413,9 +413,9 @@ flowstat (void)
+ 		   IAC, SB, TELOPT_LFLOW,
+ 		   restartany ? LFLOW_RESTART_ANY : LFLOW_RESTART_XON,
+ 		   IAC, SE);
+-	  net_output_datalen (data, sizeof (data));
++	  net_output_datalen (data, strlen (data));
+ 	  DEBUG (debug_options, 1,
+-		 printsub ('>', data + 2, sizeof (data) - 2));
++		 printsub ('>', data + 2, strlen (data) - 2));
+ 	}
+     }
+ }
+@@ -478,7 +478,7 @@ clientstat (register int code, register int parm1, register int parm2)
+ 	  if (lmodetype == REAL_LINEMODE && uselinemode)
+ 	    if (uselinemode)
+ 	      {
+-		char data[7];
++		char data[8];
+ 
+ 		useeditmode = 0;
+ 		if (tty_isediting ())
+@@ -494,9 +494,9 @@ clientstat (register int code, register int parm1, register int parm2)
+ 			 IAC, SB, TELOPT_LINEMODE,
+ 			 LM_MODE, useeditmode,
+ 			 IAC, SE);
+-		net_output_datalen (data, sizeof (data));
++		net_output_datalen (data, strlen (data));
+ 		DEBUG (debug_options, 1,
+-		       printsub ('>', data + 2, sizeof (data) - 2));
++		       printsub ('>', data + 2, strlen (data) - 2));
+ 
+ 		editmode = useeditmode;
+ 	      }
+@@ -555,15 +555,15 @@ clientstat (register int code, register int parm1, register int parm2)
+ 
+ 	    if (!ack)
+ 	      {
+-		char data[7];
++		char data[8];
+ 
+ 		sprintf (data, "%c%c%c%c%c%c%c",
+ 			 IAC, SB, TELOPT_LINEMODE,
+ 			 LM_MODE, useeditmode | MODE_ACK,
+ 			 IAC, SE);
+-		net_output_datalen (data, sizeof (data));
++		net_output_datalen (data, strlen (data));
+ 		DEBUG (debug_options, 1,
+-		       printsub ('>', data + 2, sizeof (data) - 2));
++		       printsub ('>', data + 2, strlen (data) - 2));
+ 	      }
+ 
+ 	    editmode = useeditmode;
+-- 
+2.13.2
+
diff --git a/PKGBUILD b/PKGBUILD
index 3bb1c6512cc4..6cefe8a7a16e 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -6,7 +6,7 @@
 set -u
 _pkgname='inetutils'
 pkgname="${_pkgname}-git"
-pkgver=1.9.4.r25.g3d64a8c7
+pkgver=1.9.4.r38.g91960071
 pkgrel=1
 _srcdir="${_pkgname}"
 pkgdesc='A collection of common network programs'
@@ -24,8 +24,9 @@ options=('!emptydirs' '!strip')
 install="${_pkgname}.install"
 _verwatch=('http://ftp.gnu.org/gnu/inetutils/' 'inetutils-\([0-9\.]\+\)\.tar\.gz' 'l')
 source=(
-  "git://git.savannah.gnu.org/${_pkgname}.git#commit=3d64a8c7280e7d218c4b607aa25352be1d6c4ded"
+  "git://git.savannah.gnu.org/${_pkgname}.git" #commit=3d64a8c7280e7d218c4b607aa25352be1d6c4ded"
   'git://git.sv.gnu.org/gnulib'
+  '0001-telnetd-Fix-buffer-overflows.patch'
 ) # This link must be the same as the one in bootstrap
 _archlink="@@@::https://projects.archlinux.org/svntogit/packages.git/plain/trunk/@@@?h=packages/${_pkgname}"
 _archsource=(
@@ -41,6 +42,7 @@ done
 unset _src _archlink
 sha256sums=('SKIP'
             'SKIP'
+            '1eacb0bdb4496f12e7a0593278aa4ae1eadf271a263bf27285acb1c03015c4de'
             'f1b9b4e57f484070366444a649f1be151d01d5bc965b9b192c242e4b7cc4beeb'
             '428367b148033c7fa865e92bdd73b06cb58e6909488649adebf8d2253a022f1f'
             '6112bcdb595937a8c7940dc158a97fd48b8cce6526a9fb017f347f614b9d6548'
@@ -68,11 +70,14 @@ pkgver() {
 prepare() {
   set -u
   cd "${_srcdir}"
-  ln -sf '../gnulib'
+  ln -s '../gnulib'
   # telnetd disconnects without banner on 90% of connections
   # http://lists.gnu.org/archive/html/bug-inetutils/2015-07/msg00006.html
   # http://lists.gnu.org/archive/html/bug-inetutils/2015-08/index.html
-  sed -i -e 's:if (pty_read () <= 0):if (pty_read () < 0):g' 'telnetd/telnetd.c'
+  sed -e 's:if (pty_read () <= 0):if (pty_read () < 0):g' -i 'telnetd/telnetd.c'
+
+  # http://lists.gnu.org/archive/html/bug-inetutils/2017-07/msg00005.html
+  patch -Nbup1 < '../0001-telnetd-Fix-buffer-overflows.patch'
   set +u
 }
 
@@ -99,7 +104,7 @@ _configure() {
       --disable-logger --disable-syslogd \
       --disable-inetd --disable-whois \
       --disable-uucpd --disable-ifconfig --disable-traceroute
-    sed -i -e '/INSTALL_STRIP_PROGRAM/ s: -s::g' 'Makefile'
+    sed -e '/INSTALL_STRIP_PROGRAM/ s: -s::g' -i 'Makefile'
   fi
   cd "${srcdir}"
   set +u