© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
I reviewed inetutils-telnet 2:2.4-2ubuntu1 as checked into lunar. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
Only telnet related code was audited.
- CVE History:
- 14 CVEs assigned to inetutils
- CVE-2011-4862 CVE-2021-40491 CVE-2021-45774 CVE-2021-45775 CVE-2021-45778 CVE-2021-45779 CVE-2021-45780 CVE-2021-45781 CVE-2021-45782 CVE-2021-46058 CVE-2021-46060 CVE-2019-0053 CVE-2020-10188 CVE-2022-39028
- many of the 2021 CVEs were later revoked, but seem to describe real vulnerabilities
- why the CNA (MITRE) revoked them is unknown
- often done at upstream's request
- e.g., CVE-2021-45778
- https:/
- https:/
- https:/
- https:/
- NEWS contains many security issues not assigned CVEs
- https:/
- security issues that upstream tracks *as bugs* are unlikely to be patched
- in NEWS, the CVE ID number "CVE-2019-0053" is being reused for multiple vulnerabilities
- it is being used to describe all unsanitized input vulnerabilities ?
- vulnerabilities are not being tracked with CVEs by upstream
- difficult for downstream maintenance to track
- Build-Depends?
- debhelper-compat
- debhelper
- netbase
- net-tools
- autoconf
- automake
- bison
- libreadline-dev
- libncurses-dev
- libpam0g-dev
- libwrap0-dev
- libkrb5-dev
- pre/post inst/rm scripts?
- used by telnet to manage dh_installalter natives of telnet between inetutils and netkit
- init scripts?
- not for telnet
- systemd units?
- none
- dbus services?
- none
- setuid binaries?
- not for telnet
- binaries in PATH?
- ./usr/bin/
- sudo fragments?
- none
- polkit files?
- none
- udev rules?
- none
- unit tests / autopkgtests?
- telnet build test is skipped !
- `SKIP: telnet-
- contains autopkgtests
- cron jobs?
- none
- Build logs:
- there are lintian errors for non-telnet packages
- debian/
- MANY build warnings
- most for other packages in source package
- trivial lintian overrides
- Processes spawned?
- command.c's shell() vfork's to execute a local shell command
- of course, commands are sent to telenetd
- Memory management?
- heavy use, mostly in ./libtelnet/
- use of setjmp/longjmp
- jump is being used with async calls, which can be an issue if signal mask are changed before longjmp
- netkit's telnet is derived from same base code, netkit uses sigsetjump/
- nb, how setjmp affects signal mask has changed since original unix code
- conditional use of unix/linux ioctl calls suggests that jumps should be portable as well
- Security is fine with this client side
- some buffer size checks
- uses snprintf instead of sprintf where appropriate
- static analyzers found memory leaks
- File IO?
- used to read telnet rcfile
- used to write a debug tracefile
- looks okay
- Logging?
- most output to stderr
- has debug features
- kerberos/shishi has extra handling
- Environment variable usage?
- attempts to use $SHELL to execute local shell command
- attempts to use $USER for autologin if user is not specified
- attempts to use $HOME to find telnetrc
- Use of privileged functions?
- attempts to chown krb5 credentials
- brief check of ioctl calls look okay
- if/else of ioctl calls appears portable
- Use of cryptography / random number sources etc?
- kerberos (and shishi) are supported
- telnet should never be used when encryption is expected
- Use of temp files?
- temp file used for krb5
- Use of networking?
- heavy use
- Use of WebKit?
- none
- Use of PolicyKit?
- none
- Any significant cppcheck results?
- uninitvar of old_env in certain ./libtelnet/
- memleakOnRealloc of opt_reply in telnet/telnet.c
- Any significant Coverity results?
- most take many branches to trigger
- bad bit shift operations
- memory leak of result in ./telent/
- memory leak of argvp in ./telnet/
- see coverity.txt
- Any significant shellcheck results?
- only in tests
Telnet should only be used on private networks.
Security team ACK for promoting inetutils-telnet to main.