--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi,
Please unblock package atftp
It fixes two set of vulnerabilities found by Denis Andzakovic[1],
CVE-2019-11365, CVE-2019-11366 and tracked in the BTS as #927553. The
upload to unstable cherry-picks the two upstream commits.
+atftp (0.7.git20120829-3.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Fix concurrency issue denial of service (CVE-2019-11366) (Closes: #927553)
+ * Fix error handler stack overflow (CVE-2019-11365) (Closes: #927553)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Mon, 29 Apr 2019 19:37:52 +0200
Attached is the debdiff between the version in testing and the
uploaded version in unstable.
unblock atftp/0.7.git20120829-3.1
Regards,
Salvatore
[1] https://pulsesecurity.co.nz/advisories/atftpd-multiple-vulnerabilities
diff -u atftp-0.7.git20120829/debian/changelog atftp-0.7.git20120829/debian/changelog
--- atftp-0.7.git20120829/debian/changelog
+++ atftp-0.7.git20120829/debian/changelog
@@ -1,3 +1,11 @@
+atftp (0.7.git20120829-3.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Fix concurrency issue denial of service (CVE-2019-11366) (Closes: #927553)
+ * Fix error handler stack overflow (CVE-2019-11365) (Closes: #927553)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Mon, 29 Apr 2019 19:37:52 +0200
+
atftp (0.7.git20120829-3) unstable; urgency=medium
* Ack previous NMU
diff -u atftp-0.7.git20120829/tftpd_file.c atftp-0.7.git20120829/tftpd_file.c
--- atftp-0.7.git20120829/tftpd_file.c
+++ atftp-0.7.git20120829/tftpd_file.c
@@ -304,9 +304,7 @@
else
logger(LOG_WARNING, "source port mismatch, check bypassed");
}
- Strncpy(string, tftphdr->th_msg,
- (((data_size - 4) > MAXLEN) ? MAXLEN :
- (data_size - 4)));
+ Strncpy(string, tftphdr->th_msg, sizeof(string));
if (data->trace)
logger(LOG_DEBUG, "received ERROR <code: %d, msg: %s>",
ntohs(tftphdr->th_code), string);
@@ -954,9 +952,7 @@
}
}
/* Got an ERROR from the current master client */
- Strncpy(string, tftphdr->th_msg,
- (((data_size - 4) > MAXLEN) ? MAXLEN :
- (data_size - 4)));
+ Strncpy(string, tftphdr->th_msg, sizeof(string));
if (data->trace)
logger(LOG_DEBUG, "received ERROR <code: %d, msg: %s>",
ntohs(tftphdr->th_code), string);
diff -u atftp-0.7.git20120829/tftpd_list.c atftp-0.7.git20120829/tftpd_list.c
--- atftp-0.7.git20120829/tftpd_list.c
+++ atftp-0.7.git20120829/tftpd_list.c
@@ -49,11 +49,11 @@
*/
int tftpd_list_add(struct thread_data *new)
{
+ pthread_mutex_lock(&thread_list_mutex);
+
struct thread_data *current = thread_data;
int ret;
- pthread_mutex_lock(&thread_list_mutex);
-
number_of_thread++;
ret = number_of_thread;
@@ -81,11 +81,11 @@
*/
int tftpd_list_remove(struct thread_data *old)
{
+ pthread_mutex_lock(&thread_list_mutex);
+
struct thread_data *current = thread_data;
int ret;
- pthread_mutex_lock(&thread_list_mutex);
-
number_of_thread--;
ret = number_of_thread;
@@ -137,6 +137,9 @@
struct thread_data *data,
struct client_info *client)
{
+ /* lock the whole list before walking it */
+ pthread_mutex_lock(&thread_list_mutex);
+
struct thread_data *current = thread_data; /* head of the list */
struct tftp_opt *tftp_options = data->tftp_options;
struct client_info *tmp;
@@ -152,7 +155,4 @@
len = (int)((unsigned long)index - (unsigned long)options);
- /* lock the whole list before walking it */
- pthread_mutex_lock(&thread_list_mutex);
-
while (current)
{
@@ -214,9 +214,9 @@
void tftpd_clientlist_remove(struct thread_data *thread,
struct client_info *client)
{
+ pthread_mutex_lock(&thread->client_mutex);
struct client_info *tmp = thread->client_info;
- pthread_mutex_lock(&thread->client_mutex);
while ((tmp->next != client) && (tmp->next != NULL))
tmp = tmp->next;
if (tmp->next == NULL)
@@ -230,10 +230,11 @@
*/
void tftpd_clientlist_free(struct thread_data *thread)
{
+ pthread_mutex_lock(&thread->client_mutex);
+
struct client_info *tmp;
struct client_info *head = thread->client_info;
- pthread_mutex_lock(&thread->client_mutex);
while (head)
{
tmp = head;
@@ -250,10 +251,10 @@
struct client_info *client,
struct sockaddr_storage *sock)
{
- struct client_info *head = thread->client_info;
-
pthread_mutex_lock(&thread->client_mutex);
+ struct client_info *head = thread->client_info;
+
if (client)
{
client->done = 1;
@@ -334,10 +335,9 @@
void tftpd_list_kill_threads(void)
{
- struct thread_data *current = thread_data; /* head of list */
-
pthread_mutex_lock(&thread_list_mutex);
+ struct thread_data *current = thread_data; /* head of list */
while (current != NULL)
{
diff -u atftp-0.7.git20120829/tftpd_mtftp.c atftp-0.7.git20120829/tftpd_mtftp.c
--- atftp-0.7.git20120829/tftpd_mtftp.c
+++ atftp-0.7.git20120829/tftpd_mtftp.c
@@ -635,9 +635,7 @@
if (sockaddr_equal(sa, &from))
{
/* Got an ERROR from the current master client */
- Strncpy(string, tftphdr->th_msg,
- (((data_size - 4) > MAXLEN) ? MAXLEN :
- (data_size - 4)));
+ Strncpy(string, tftphdr->th_msg, sizeof(string));
if (data->mtftp_data->trace)
logger(LOG_DEBUG, "received ERROR <code: %d, msg: %s>",
ntohs(tftphdr->th_code), string);
--- End Message ---