After 14 months of development, the release of the set gnu inetutils 2.5 has been announced. This set includes a collection of network programs, most of which have been transferred from BSD systems. The composition of the set includes inetd and syslogd servers and clients for FTP, Telnet, RSH, RSH, RLOGIN, TFTP, and Talk, as well as typical utilities such as Ping, Ping6, Traceroute, Whois, Hostname, DnSDomainname, IFCONFIG, LOGGER, etc.
In the new version, a vulnerability in the SUID programs FTPD, RCP, RLOGIN, RSH, RSHD, and UCPD has been eliminated. The vulnerability was caused by a lack of verification in the programs’ SET*id() and SET*Guid() functions. The vulnerability, identified as cve-2023-40303), allowed the programs to continue running with increased privileges even after a SET*id() call. This could potentially be exploited to perform operations under unintended user rights. For example, FTPD, UCPD, and RSHD processes launched with ROOT rights would continue to use ROOT rights even after launching user sessions.
In addition to eliminating the vulnerability and fixing small errors, the new version also includes an update to the Ping6 utility. It now supports ICMPV6-messages with information about the inaccessibility of the target host (“Destination Unreachable”, RFC 4443).