I reviewed inetutils-telnet 2:2.4-2ubuntu1 as checked into lunar. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
Only telnet related code was audited.
- CVE History:
- 14 CVEs assigned to inetutils
- CVE-2011-4862 CVE-2021-40491 CVE-2021-45774 CVE-2021-45775 CVE-2021-45778 CVE-2021-45779 CVE-2021-45780 CVE-2021-45781 CVE-2021-45782 CVE-2021-46058 CVE-2021-46060 CVE-2019-0053 CVE-2020-10188 CVE-2022-39028
- many of the 2021 CVEs were later revoked, but seem to describe real vulnerabilities
- why the CNA (MITRE) revoked them is unknown
- often done at upstream's request
- e.g., CVE-2021-45778
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45778
- https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00004.html
- https://savannah.gnu.org/bugs/?61723
- https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=ef17ae467e8893f1e3dade95212e91fc411d2714
- NEWS contains many security issues not assigned CVEs
- https://git.savannah.gnu.org/cgit/inetutils.git/tree/NEWS
- security issues that upstream tracks *as bugs* are unlikely to be patched
- in NEWS, the CVE ID number "CVE-2019-0053" is being reused for multiple vulnerabilities
- it is being used to describe all unsanitized input vulnerabilities ?
- vulnerabilities are not being tracked with CVEs by upstream
- difficult for downstream maintenance to track
- Build-Depends?
- debhelper-compat
- debhelper
- netbase
- net-tools
- autoconf
- automake
- bison
- libreadline-dev
- libncurses-dev
- libpam0g-dev
- libwrap0-dev
- libkrb5-dev
- pre/post inst/rm scripts?
- used by telnet to manage dh_installalter natives of telnet between inetutils and netkit
- init scripts?
- not for telnet
- systemd units?
- none
- dbus services?
- none
- setuid binaries?
- not for telnet
- binaries in PATH?
- ./usr/bin/inetutils-telnet
- sudo fragments?
- none
- polkit files?
- none
- udev rules?
- none
- unit tests / autopkgtests?
- telnet build test is skipped !
- `SKIP: telnet-localhost.sh`
- contains autopkgtests
- cron jobs?
- none
- Build logs:
- there are lintian errors for non-telnet packages
- debian/inetutils-telnet.lintian-overrides is trivial
- MANY build warnings
- most for other packages in source package
- trivial lintian overrides
- Processes spawned?
- command.c's shell() vfork's to execute a local shell command
- of course, commands are sent to telenetd
- Memory management?
- heavy use, mostly in ./libtelnet/
- use of setjmp/longjmp
- jump is being used with async calls, which can be an issue if signal mask are changed before longjmp
- netkit's telnet is derived from same base code, netkit uses sigsetjump/siglongjmp to control signal mask
- nb, how setjmp affects signal mask has changed since original unix code
- conditional use of unix/linux ioctl calls suggests that jumps should be portable as well
- Security is fine with this client side
- some buffer size checks
- uses snprintf instead of sprintf where appropriate
- static analyzers found memory leaks
- File IO?
- used to read telnet rcfile
- used to write a debug tracefile
- looks okay
- Logging?
- most output to stderr
- has debug features
- kerberos/shishi has extra handling
- Environment variable usage?
- attempts to use $SHELL to execute local shell command
- attempts to use $USER for autologin if user is not specified
- attempts to use $HOME to find telnetrc
- Use of privileged functions?
- attempts to chown krb5 credentials
- brief check of ioctl calls look okay
- if/else of ioctl calls appears portable
- Use of cryptography / random number sources etc?
- kerberos (and shishi) are supported
- telnet should never be used when encryption is expected
- Use of temp files?
- temp file used for krb5
- Use of networking?
- heavy use
- Use of WebKit?
- none
- Use of PolicyKit?
- none
- Any significant cppcheck results?
- uninitvar of old_env in certain ./libtelnet/read_passwd.c cases
- memleakOnRealloc of opt_reply in telnet/telnet.c
- Any significant Coverity results?
- most take many branches to trigger
- bad bit shift operations
- memory leak of result in ./telent/commands.c:2695
- memory leak of argvp in ./telnet/telnet.c:751
- see coverity.txt
- Any significant shellcheck results?
- only in tests
Telnet should only be used on private networks.
Security team ACK for promoting inetutils-telnet to main.
I reviewed inetutils-telnet 2:2.4-2ubuntu1 as checked into lunar. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
Only telnet related code was audited.
- CVE History: /cve.mitre. org/cgi- bin/cvename. cgi?name= CVE-2021- 45778 /lists. gnu.org/ archive/ html/bug- inetutils/ 2021-12/ msg00004. html /savannah. gnu.org/ bugs/?61723 /git.savannah. gnu.org/ cgit/inetutils. git/commit/ ?id=ef17ae467e8 893f1e3dade9521 2e91fc411d2714 /git.savannah. gnu.org/ cgit/inetutils. git/tree/ NEWS inetutils- telnet localhost. sh` inetutils- telnet. lintian- overrides is trivial
- 14 CVEs assigned to inetutils
- CVE-2011-4862 CVE-2021-40491 CVE-2021-45774 CVE-2021-45775 CVE-2021-45778 CVE-2021-45779 CVE-2021-45780 CVE-2021-45781 CVE-2021-45782 CVE-2021-46058 CVE-2021-46060 CVE-2019-0053 CVE-2020-10188 CVE-2022-39028
- many of the 2021 CVEs were later revoked, but seem to describe real vulnerabilities
- why the CNA (MITRE) revoked them is unknown
- often done at upstream's request
- e.g., CVE-2021-45778
- https:/
- https:/
- https:/
- https:/
- NEWS contains many security issues not assigned CVEs
- https:/
- security issues that upstream tracks *as bugs* are unlikely to be patched
- in NEWS, the CVE ID number "CVE-2019-0053" is being reused for multiple vulnerabilities
- it is being used to describe all unsanitized input vulnerabilities ?
- vulnerabilities are not being tracked with CVEs by upstream
- difficult for downstream maintenance to track
- Build-Depends?
- debhelper-compat
- debhelper
- netbase
- net-tools
- autoconf
- automake
- bison
- libreadline-dev
- libncurses-dev
- libpam0g-dev
- libwrap0-dev
- libkrb5-dev
- pre/post inst/rm scripts?
- used by telnet to manage dh_installalter natives of telnet between inetutils and netkit
- init scripts?
- not for telnet
- systemd units?
- none
- dbus services?
- none
- setuid binaries?
- not for telnet
- binaries in PATH?
- ./usr/bin/
- sudo fragments?
- none
- polkit files?
- none
- udev rules?
- none
- unit tests / autopkgtests?
- telnet build test is skipped !
- `SKIP: telnet-
- contains autopkgtests
- cron jobs?
- none
- Build logs:
- there are lintian errors for non-telnet packages
- debian/
- MANY build warnings
- most for other packages in source package
- trivial lintian overrides
- Processes spawned? siglongjmp to control signal mask
- command.c's shell() vfork's to execute a local shell command
- of course, commands are sent to telenetd
- Memory management?
- heavy use, mostly in ./libtelnet/
- use of setjmp/longjmp
- jump is being used with async calls, which can be an issue if signal mask are changed before longjmp
- netkit's telnet is derived from same base code, netkit uses sigsetjump/
- nb, how setjmp affects signal mask has changed since original unix code
- conditional use of unix/linux ioctl calls suggests that jumps should be portable as well
- Security is fine with this client side
- some buffer size checks
- uses snprintf instead of sprintf where appropriate
- static analyzers found memory leaks
- File IO?
- used to read telnet rcfile
- used to write a debug tracefile
- looks okay
- Logging?
- most output to stderr
- has debug features
- kerberos/shishi has extra handling
- Environment variable usage?
- attempts to use $SHELL to execute local shell command
- attempts to use $USER for autologin if user is not specified
- attempts to use $HOME to find telnetrc
- Use of privileged functions?
- attempts to chown krb5 credentials
- brief check of ioctl calls look okay
- if/else of ioctl calls appears portable
- Use of cryptography / random number sources etc?
- kerberos (and shishi) are supported
- telnet should never be used when encryption is expected
- Use of temp files?
- temp file used for krb5
- Use of networking?
- heavy use
- Use of WebKit?
- none
- Use of PolicyKit?
- none
- Any significant cppcheck results? read_passwd. c cases commands. c:2695 telnet. c:751
- uninitvar of old_env in certain ./libtelnet/
- memleakOnRealloc of opt_reply in telnet/telnet.c
- Any significant Coverity results?
- most take many branches to trigger
- bad bit shift operations
- memory leak of result in ./telent/
- memory leak of argvp in ./telnet/
- see coverity.txt
- Any significant shellcheck results?
- only in tests
Telnet should only be used on private networks.
Security team ACK for promoting inetutils-telnet to main.