I reviewed inetutils-telnet 2:2.4-2ubuntu1 as checked into lunar. This shouldn't be considered a full audit but rather a quick gauge of maintainability. Only telnet related code was audited. - CVE History: - 14 CVEs assigned to inetutils - CVE-2011-4862 CVE-2021-40491 CVE-2021-45774 CVE-2021-45775 CVE-2021-45778 CVE-2021-45779 CVE-2021-45780 CVE-2021-45781 CVE-2021-45782 CVE-2021-46058 CVE-2021-46060 CVE-2019-0053 CVE-2020-10188 CVE-2022-39028 - many of the 2021 CVEs were later revoked, but seem to describe real vulnerabilities - why the CNA (MITRE) revoked them is unknown - often done at upstream's request - e.g., CVE-2021-45778 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45778 - https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00004.html - https://savannah.gnu.org/bugs/?61723 - https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=ef17ae467e8893f1e3dade95212e91fc411d2714 - NEWS contains many security issues not assigned CVEs - https://git.savannah.gnu.org/cgit/inetutils.git/tree/NEWS - security issues that upstream tracks *as bugs* are unlikely to be patched - in NEWS, the CVE ID number "CVE-2019-0053" is being reused for multiple vulnerabilities - it is being used to describe all unsanitized input vulnerabilities ? - vulnerabilities are not being tracked with CVEs by upstream - difficult for downstream maintenance to track - Build-Depends? - debhelper-compat - debhelper - netbase - net-tools - autoconf - automake - bison - libreadline-dev - libncurses-dev - libpam0g-dev - libwrap0-dev - libkrb5-dev - pre/post inst/rm scripts? - used by telnet to manage dh_installalter natives of telnet between inetutils and netkit - init scripts? - not for telnet - systemd units? - none - dbus services? - none - setuid binaries? - not for telnet - binaries in PATH? - ./usr/bin/inetutils-telnet - sudo fragments? - none - polkit files? - none - udev rules? - none - unit tests / autopkgtests? - telnet build test is skipped ! - `SKIP: telnet-localhost.sh` - contains autopkgtests - cron jobs? - none - Build logs: - there are lintian errors for non-telnet packages - debian/inetutils-telnet.lintian-overrides is trivial - MANY build warnings - most for other packages in source package - trivial lintian overrides - Processes spawned? - command.c's shell() vfork's to execute a local shell command - of course, commands are sent to telenetd - Memory management? - heavy use, mostly in ./libtelnet/ - use of setjmp/longjmp - jump is being used with async calls, which can be an issue if signal mask are changed before longjmp - netkit's telnet is derived from same base code, netkit uses sigsetjump/siglongjmp to control signal mask - nb, how setjmp affects signal mask has changed since original unix code - conditional use of unix/linux ioctl calls suggests that jumps should be portable as well - Security is fine with this client side - some buffer size checks - uses snprintf instead of sprintf where appropriate - static analyzers found memory leaks - File IO? - used to read telnet rcfile - used to write a debug tracefile - looks okay - Logging? - most output to stderr - has debug features - kerberos/shishi has extra handling - Environment variable usage? - attempts to use $SHELL to execute local shell command - attempts to use $USER for autologin if user is not specified - attempts to use $HOME to find telnetrc - Use of privileged functions? - attempts to chown krb5 credentials - brief check of ioctl calls look okay - if/else of ioctl calls appears portable - Use of cryptography / random number sources etc? - kerberos (and shishi) are supported - telnet should never be used when encryption is expected - Use of temp files? - temp file used for krb5 - Use of networking? - heavy use - Use of WebKit? - none - Use of PolicyKit? - none - Any significant cppcheck results? - uninitvar of old_env in certain ./libtelnet/read_passwd.c cases - memleakOnRealloc of opt_reply in telnet/telnet.c - Any significant Coverity results? - most take many branches to trigger - bad bit shift operations - memory leak of result in ./telent/commands.c:2695 - memory leak of argvp in ./telnet/telnet.c:751 - see coverity.txt - Any significant shellcheck results? - only in tests Telnet should only be used on private networks. Security team ACK for promoting inetutils-telnet to main.