ASA-202106-20 log original external raw

[ASA-202106-20] inetutils: arbitrary code execution
Arch Linux Security Advisory ASA-202106-20 ========================================== Severity: High Date : 2021-06-09 CVE-ID : CVE-2019-0053 CVE-2020-10188 Package : inetutils Type : arbitrary code execution Remote : Yes Link : Summary ======= The package inetutils before version 2.0-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 2.0-1. # pacman -Syu "inetutils>=2.0-1" The problems have been fixed upstream in version 2.0. Workaround ========== None. Description =========== - CVE-2019-0053 (arbitrary code execution) inetutils before version contains a stack overflow vulnerability in the client-side environment variable handling which can be exploited to escape restricted shells on embedded devices. A stack-based overflow is present in the handling of environment variables when connecting telnet.c to remote telnet servers through oversized DISPLAY arguments. - CVE-2020-10188 (arbitrary code execution) A vulnerability was found in inetutils before version where incorrect bounds checks in the telnet server’s (telnetd) handling of short writes and urgent data could lead to information disclosure and corruption of heap data. An unauthenticated remote attacker could exploit these bugs by sending specially crafted telnet packets to achieve arbitrary code execution in the telnet server. Impact ====== Requesting environment variables with crafted contents could lead to arbitrary code execution in a telnet client. Additionally an unauthenticated remote attacker could execute arbitrary code on a telnet server via crafted packets. References ==========;a=commitdiff;h=1480573a908254662074865406ac6fbde4694e5d;a=commitdiff;h=07fdb4201a3a5e6df92c0929c65671ce4ba8af5a;a=commitdiff;h=cd7e7e685daeafb68f19347747af6340731a4518