Hi,
On Sun, Mar 29, 2020 at 09:40:00AM +0200, Salvatore Bonaccorso wrote:
> Hi,
>
> On Sat, Mar 28, 2020 at 06:43:28PM +0000, Marcos Marado wrote:
> > Did anyone confirm this against Debian's netkit?
>
> No this needs to happen yet. We rather want to play on the safe side
> here and mark something yet 'wrongly as affected until we have
> assurance that the vulnerability is not present in the code.
> >
> > At least on 0.17.24 (the earlier version on debian I could get my
> > hands on) or later, the nextitem function has this check:
> >
> > > if (current >= end) {
> > > current = next;
> > > if (!current) {
> > > return 0;
> > > }
> > > end = nextend;
> > > next = 0;
> > > }
> >
> > From my understanding of the CVE (and brief analysis), this should be
> > enough to avoid any possible exploitation, so I installed telnetd and
> > tried to run the exploit against it. And, indeed, the result I got
> > was:
> >
> > > ??? Connecting to 0:23
> > > infoleak unsuccessful.
> >
> > I might be missing something here, but I suspect that debian's
> > netkit-telnet (and netkit-telnet-ssl) are not affected by this CVE.
>
> Thanks this might help to track the issue further.
It might be possible that Debian is fixed for it since 0.17-18woody2
(for src:netkit-telnet).
Salvatore
