Dear LTS team,
A buffer overflow vulnerability was recently found in the netmask
package (a small utility that helps determining network masks):
https://github.com/tlby/netmask/issues/3
The Security Team argued that the version in stretch (2.4.3-1) doesn't
warrant a DSA as the program is built with hardening options enabled
(thus turning the buffer overflow vulnerability into an harmless clash),
but that's not the case for the version in jessie (2.3.12), so I guess
it makes sense to upload a +deb8u1.
I attach a debdiff with a trivial fix backported from 2.4.4, more
specifically the ‘errors.c’ part of
https://github.com/tlby/netmask/commit/29a9c239bd1008363f5b34ffd6c2cef906f3660c
For convenience, you can also find the source package at
dget -x https://people.debian.org/~guilhem/tmp/netmask_2.3.12+deb8u1.dsc
Notes:
* I only started maintaining this package after jessie was frozen, but
the previous maintainer is no longer active and I thus took the
liberty to update the ‘Maintainer’ field in d/control accordingly.
* Before 2.4.2-1 the package was (incorrectly) native, so in this
jessie-security package I applied the fix directly to the upstream
source rather than going via a patch series.
* Upstream hasn't yet filed a CVE for this issue; I forwarded jmm's
instructions regarding this.
Thanks!
--
Guilhem.
diff -Nru netmask-2.3.12/debian/changelog netmask-2.3.12+deb8u1/debian/changelog
--- netmask-2.3.12/debian/changelog 2010-04-26 04:29:39.000000000 +0200
+++ netmask-2.3.12+deb8u1/debian/changelog 2019-02-06 01:08:09.000000000 +0100
@@ -1,3 +1,10 @@
+netmask (2.3.12+deb8u1) jessie-security; urgency=medium
+
+ * Fix buffer overflow vulnerability
+ https://github.com/tlby/netmask/issues/3
+
+ -- Guilhem Moulin <guilhem@debian.org> Wed, 06 Feb 2019 01:08:09 +0100
+
netmask (2.3.12) unstable; urgency=low
* Include patches directly in source because it's a native package
diff -Nru netmask-2.3.12/debian/control netmask-2.3.12+deb8u1/debian/control
--- netmask-2.3.12/debian/control 2010-04-26 04:29:39.000000000 +0200
+++ netmask-2.3.12+deb8u1/debian/control 2019-02-06 01:08:09.000000000 +0100
@@ -1,7 +1,7 @@
Source: netmask
Section: net
Priority: optional
-Maintainer: Luis Uribe <acme@eviled.org>
+Maintainer: Guilhem Moulin <guilhem@debian.org>
Build-Depends: debhelper (>= 5), texinfo
Standards-Version: 3.8.4
diff -Nru netmask-2.3.12/errors.c netmask-2.3.12+deb8u1/errors.c
--- netmask-2.3.12/errors.c 2010-04-26 04:29:39.000000000 +0200
+++ netmask-2.3.12+deb8u1/errors.c 2019-02-06 01:04:57.000000000 +0100
@@ -66,7 +66,7 @@
if(!show_status) return(0);
va_start(args, fmt);
- vsprintf(buf, fmt, args);
+ vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
return(message(LOG_DEBUG, buf));
}
@@ -76,7 +76,7 @@
va_list args;
va_start(args, fmt);
- vsprintf(buf, fmt, args);
+ vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
return(message(LOG_WARNING, buf));
}
@@ -86,7 +86,7 @@
va_list args;
va_start(args, fmt);
- vsprintf(buf, fmt, args);
+ vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
message(LOG_ERR, buf);
exit(1);
@@ -97,7 +97,7 @@
/* only handle errno if this is not an informational message */
if(errno && priority < 5) {
- sprintf(buf, "%s: %s", msg, strerror(errno));
+ snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(errno));
errno = 0;
} else strcpy(buf, msg);
if(use_syslog) syslog(priority, "%s", buf);
Attachment:
signature.asc
Description: PGP signature