Fix buffer overflow in telnetd

Allowing remote attackers to execute arbitrary code via a long
encryption key. Patch taken from FreeBSD. CVE-2011-4862

3 files changed, 23 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index b3ccf7b..8b5e977 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+inetutils (2:1.8-6) UNRELEASED; urgency=high
+
+  * Fix buffer overflow in telnetd allowing remote attackers to execute
+    arbitrary code via a long encryption key. Patch taken from FreeBSD.
+    CVE-2011-4862
+
+ -- Guillem Jover <guillem@debian.org>  Wed, 28 Dec 2011 02:25:37 +0100
+
 inetutils (2:1.8-5) unstable; urgency=low
 
   * Move man pages from patches to actual files under debian/local/man/ to
diff --git a/debian/patches/99_CVE-2011-4862.patch b/debian/patches/99_CVE-2011-4862.patch
new file mode 100644
index 0000000..4bb677e
--- /dev/null
+++ b/debian/patches/99_CVE-2011-4862.patch
@@ -0,0 +1,14 @@
+Index: git/libtelnet/encrypt.c
+===================================================================
+--- git.orig/libtelnet/encrypt.c	2011-12-25 16:51:52.000000000 +0100
++++ git/libtelnet/encrypt.c	2011-12-25 16:58:22.441175233 +0100
+@@ -794,6 +794,9 @@
+   int dir = kp->dir;
+   register int ret = 0;
+ 
++   if (len > MAXKEYLEN)
++     len = MAXKEYLEN;
++
+   if (!(ep = (*kp->getcrypt) (*kp->modep)))
+     {
+       if (len == 0)
diff --git a/debian/patches/series b/debian/patches/series
index 67158ab..559f31c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@
 64_telnetd_ipv6_sockaddrlen.patch
 70_ftbfs_non-linux.patch
 72_traceroute_fix_setsockopt.patch
+99_CVE-2011-4862.patch