[Bug 2008789] Re: [MIR] inetutils-telnet
Mark Esler
2008789 at bugs.launchpad.net
Thu Mar 30 00:27:23 UTC 2023
I reviewed inetutils-telnet 2:2.4-2ubuntu1 as checked into lunar. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability.
Only telnet related code was audited.
- CVE History:
- 14 CVEs assigned to inetutils
- CVE-2011-4862 CVE-2021-40491 CVE-2021-45774 CVE-2021-45775 CVE-2021-45778 CVE-2021-45779 CVE-2021-45780 CVE-2021-45781 CVE-2021-45782 CVE-2021-46058 CVE-2021-46060 CVE-2019-0053 CVE-2020-10188 CVE-2022-39028
- many of the 2021 CVEs were later revoked, but seem to describe real vulnerabilities
- why the CNA (MITRE) revoked them is unknown
- often done at upstream's request
- e.g., CVE-2021-45778
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45778
- https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00004.html
- https://savannah.gnu.org/bugs/?61723
- https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=ef17ae467e8893f1e3dade95212e91fc411d2714
- NEWS contains many security issues not assigned CVEs
- https://git.savannah.gnu.org/cgit/inetutils.git/tree/NEWS
- security issues that upstream tracks *as bugs* are unlikely to be patched
- in NEWS, the CVE ID number "CVE-2019-0053" is being reused for multiple vulnerabilities
- it is being used to describe all unsanitized input vulnerabilities ?
- vulnerabilities are not being tracked with CVEs by upstream
- difficult for downstream maintenance to track
- Build-Depends?
- debhelper-compat
- debhelper
- netbase
- net-tools
- autoconf
- automake
- bison
- libreadline-dev
- libncurses-dev
- libpam0g-dev
- libwrap0-dev
- libkrb5-dev
- pre/post inst/rm scripts?
- used by telnet to manage dh_installalter natives of telnet between inetutils and netkit
- init scripts?
- not for telnet
- systemd units?
- none
- dbus services?
- none
- setuid binaries?
- not for telnet
- binaries in PATH?
- ./usr/bin/inetutils-telnet
- sudo fragments?
- none
- polkit files?
- none
- udev rules?
- none
- unit tests / autopkgtests?
- telnet build test is skipped !
- `SKIP: telnet-localhost.sh`
- contains autopkgtests
- cron jobs?
- none
- Build logs:
- there are lintian errors for non-telnet packages
- debian/inetutils-telnet.lintian-overrides is trivial
- MANY build warnings
- most for other packages in source package
- trivial lintian overrides
- Processes spawned?
- command.c's shell() vfork's to execute a local shell command
- of course, commands are sent to telenetd
- Memory management?
- heavy use, mostly in ./libtelnet/
- use of setjmp/longjmp
- jump is being used with async calls, which can be an issue if signal mask are changed before longjmp
- netkit's telnet is derived from same base code, netkit uses sigsetjump/siglongjmp to control signal mask
- nb, how setjmp affects signal mask has changed since original unix code
- conditional use of unix/linux ioctl calls suggests that jumps should be portable as well
- Security is fine with this client side
- some buffer size checks
- uses snprintf instead of sprintf where appropriate
- static analyzers found memory leaks
- File IO?
- used to read telnet rcfile
- used to write a debug tracefile
- looks okay
- Logging?
- most output to stderr
- has debug features
- kerberos/shishi has extra handling
- Environment variable usage?
- attempts to use $SHELL to execute local shell command
- attempts to use $USER for autologin if user is not specified
- attempts to use $HOME to find telnetrc
- Use of privileged functions?
- attempts to chown krb5 credentials
- brief check of ioctl calls look okay
- if/else of ioctl calls appears portable
- Use of cryptography / random number sources etc?
- kerberos (and shishi) are supported
- telnet should never be used when encryption is expected
- Use of temp files?
- temp file used for krb5
- Use of networking?
- heavy use
- Use of WebKit?
- none
- Use of PolicyKit?
- none
- Any significant cppcheck results?
- uninitvar of old_env in certain ./libtelnet/read_passwd.c cases
- memleakOnRealloc of opt_reply in telnet/telnet.c
- Any significant Coverity results?
- most take many branches to trigger
- bad bit shift operations
- memory leak of result in ./telent/commands.c:2695
- memory leak of argvp in ./telnet/telnet.c:751
- see coverity.txt
- Any significant shellcheck results?
- only in tests
Telnet should only be used on private networks.
Security team ACK for promoting inetutils-telnet to main.
** Bug watch added: GNU Savannah Bug Tracker #61723
http://savannah.gnu.org/bugs/?61723
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-4862
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-0053
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10188
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-40491
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45774
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45775
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45778
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45779
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45780
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45781
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45782
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-46058
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-46060
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-39028
** Changed in: inetutils (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
** Changed in: inetutils (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is a bug assignee.
https://bugs.launchpad.net/bugs/2008789
Title:
[MIR] inetutils-telnet
Status in inetutils package in Ubuntu:
In Progress
Status in netkit-telnet-ssl package in Ubuntu:
New
Bug description:
Dear reviewers, this is my first MIR. I answered all questions very
carefully, but if something feels wrong, please look extra closely or
ask me (~dviererbe) to reinvestigate a given answer.
[Availability]
The package inetutils-telnet is already in Ubuntu universe.
The package inetutils-telnet build for the architectures it is designed to work on.
It currently builds and works for architetcures: amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
Link to package [[https://launchpad.net/ubuntu/+source/inetutils|inetutils]]
[Rationale]
The package inetutils-telnet is required in Ubuntu main:
- The package inetutils-telnet will not generally be useful for a large part of
our user base, but is important/helpful still because it is commonly used for
network diagnostics, like protocol testing of SMTP services.
- Additionally telnet is still used for legacy industrial and scientific
equipment.
- Package inetutils-telnet covers similar use cases as netkit-telnet, but
is better because netkit-telnet has been dropped altogether from Debian,
thereby we want to replace it.
- The package inetutils-telnet is required in Ubuntu main no later than
April 13th 2023 due to the Ubuntu 23.04 Lunar Lobster release date.
[Security]
- Had security issues in the past:
- CVE-2019-0053 (needs triage)
- https://ubuntu.com/security/CVE-2019-0053
- most likely not relevant:
- CVE-2022-39028 (only related to telnetd)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39028
- https://ubuntu.com/security/CVE-2022-39028
- CVE-2020-10188 (related to netcat):
- https://www.openwall.com/lists/oss-security/2018/12/13/2
- https://www.openwall.com/lists/oss-security/2018/12/14/8
- CVE-2011-4862 (related to telnetd; not sure if relevant anymore)
- https://ubuntu.com/security/CVE-2011-4862
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862
- security issues were patched or reached end of life
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
- See list of files for:
- amd64: https://packages.ubuntu.com/lunar/amd64/inetutils-telnet/filelist
- arm64: https://packages.ubuntu.com/lunar/arm64/inetutils-telnet/filelist
- armhf: https://packages.ubuntu.com/lunar/armhf/inetutils-telnet/filelist
- i386: https://packages.ubuntu.com/lunar/i386/inetutils-telnet/filelist
- ppc64el: https://packages.ubuntu.com/lunar/ppc64el/inetutils-telnet/filelist
- s390x: https://packages.ubuntu.com/lunar/s390x/inetutils-telnet/filelist
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/inetutils/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=inetutils
- Upstream-Homepage: https://www.gnu.org/software/inetutils/
- Upstream-Bugtracker: https://lists.gnu.org/archive/html/bug-inetutils/
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail
- The package runs an autopkgtest, and its builds are currently passing on
amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
- link to builds (logs can be accessed through the web UI)
https://launchpad.net/ubuntu/lunar/+builds?build_text=inetutils&build_state=built&arch_tag=all
- Link to autopkgtests https://autopkgtest.ubuntu.com/packages/i/inetutils
- The package does have failing autopkgtests tests right now, but they
allways fail (See: https://bugs.launchpad.net/ubuntu/+source/inetutils/+bug/2009814)
This is okay because the failure occures at the inetutils-ping package.
The Foundations Team is working on a fix.
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Recent build log of inetutils: https://launchpad.net/ubuntu/lunar/+builds?build_text=inetutils&build_state=all&arch_tag=all
- Full output of `lintian --pedantic` is attached as an extra post to this bug.
- A lintian overrides is present, but ok because it is unused
- The lintian Error 'inetutils changes: bad-distribution-in-changes-file lunar-amd64'
emitted in the build log, this is because the debian/changelog file
specifies 'unstable' as distribution.
- This package does not rely on obsolete or about to be demoted packages.
(The dependencies had recent updates and I could not find any open bug
ticket that indicates a upcoming demotion)
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions
- Packaging and build is easy, link to debian/rules: https://git.launchpad.net/ubuntu/+source/inetutils/tree/debian/control
- There is still the complication that building/testing inetutils-telnet
can fail because of other inetutils-* packages.
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because it is a
command line tool for sysadmins
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Ubuntu Foundations
- Ubuntu Foundations Bugs is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
- The Package description explains the package well
- Debian transitioned its default `telnet` client from netkit-telnet to
inetutils-telnet. This transition was postponed in Ubuntu for kinetic by
having ubuntu-standard Recommend `netkit-telnet` instead of `telnet`.
But now, netkit-telnet has been dropped altogether from Debian and
process-removals is prompting us to also delete it from lunar.
(See: https://packages.debian.org/bookworm/telnet)
- other binary packages from this inetutils might be brought into main
accidentally, or even intentionally but with limited oversight, in the future.
- mixed main/universe is a foreign concept to users
Seeded in lunar.standard as a replacement for netkit-telnet:
https://git.launchpad.net/~ubuntu-core-dev/ubuntu-seeds/+git/platform/commit/?h=lunar&id=349619dc49fdd0695c0bd7f9ae72f535809c2657
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/inetutils/+bug/2008789/+subscriptions
More information about the foundations-bugs
mailing list