[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#928359: marked as done (unblock: atftp/0.7.git20120829-3.1)

Your message dated Sun, 05 May 2019 11:49:54 +0000
with message-id <E1hNFeU-00081i-2c@respighi.debian.org>
and subject line unblock atftp
has caused the Debian Bug report #928359,
regarding unblock: atftp/0.7.git20120829-3.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
928359: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928359
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

Please unblock package atftp

It fixes two set of vulnerabilities found by Denis Andzakovic[1],
CVE-2019-11365, CVE-2019-11366 and tracked in the BTS as #927553. The
upload to unstable cherry-picks the two upstream commits.

+atftp (0.7.git20120829-3.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix concurrency issue denial of service (CVE-2019-11366) (Closes: #927553)
+  * Fix error handler stack overflow (CVE-2019-11365) (Closes: #927553)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 29 Apr 2019 19:37:52 +0200

Attached is the debdiff between the version in testing and the
uploaded version in unstable.

unblock atftp/0.7.git20120829-3.1

Regards,
Salvatore

 [1] https://pulsesecurity.co.nz/advisories/atftpd-multiple-vulnerabilities

diff -u atftp-0.7.git20120829/debian/changelog atftp-0.7.git20120829/debian/changelog
--- atftp-0.7.git20120829/debian/changelog
+++ atftp-0.7.git20120829/debian/changelog
@@ -1,3 +1,11 @@
+atftp (0.7.git20120829-3.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix concurrency issue denial of service (CVE-2019-11366) (Closes: #927553)
+  * Fix error handler stack overflow (CVE-2019-11365) (Closes: #927553)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 29 Apr 2019 19:37:52 +0200
+
 atftp (0.7.git20120829-3) unstable; urgency=medium
 
   * Ack previous NMU
diff -u atftp-0.7.git20120829/tftpd_file.c atftp-0.7.git20120829/tftpd_file.c
--- atftp-0.7.git20120829/tftpd_file.c
+++ atftp-0.7.git20120829/tftpd_file.c
@@ -304,9 +304,7 @@
                          else
                               logger(LOG_WARNING, "source port mismatch, check bypassed");
                     }
-                    Strncpy(string, tftphdr->th_msg,
-                            (((data_size - 4) > MAXLEN) ? MAXLEN :
-                             (data_size - 4)));
+                    Strncpy(string, tftphdr->th_msg, sizeof(string));
                     if (data->trace)
                          logger(LOG_DEBUG, "received ERROR <code: %d, msg: %s>",
                                 ntohs(tftphdr->th_code), string);
@@ -954,9 +952,7 @@
                          }
                     }
                     /* Got an ERROR from the current master client */
-                    Strncpy(string, tftphdr->th_msg,
-                            (((data_size - 4) > MAXLEN) ? MAXLEN :
-                             (data_size - 4)));
+                    Strncpy(string, tftphdr->th_msg, sizeof(string));
                     if (data->trace)
                          logger(LOG_DEBUG, "received ERROR <code: %d, msg: %s>",
                                 ntohs(tftphdr->th_code), string);
diff -u atftp-0.7.git20120829/tftpd_list.c atftp-0.7.git20120829/tftpd_list.c
--- atftp-0.7.git20120829/tftpd_list.c
+++ atftp-0.7.git20120829/tftpd_list.c
@@ -49,11 +49,11 @@
  */
 int tftpd_list_add(struct thread_data *new)
 {
+     pthread_mutex_lock(&thread_list_mutex);
+
      struct thread_data *current = thread_data;
      int ret;
 
-     pthread_mutex_lock(&thread_list_mutex);
-
      number_of_thread++;
      
      ret = number_of_thread;
@@ -81,11 +81,11 @@
  */
 int tftpd_list_remove(struct thread_data *old)
 {
+     pthread_mutex_lock(&thread_list_mutex);
+
      struct thread_data *current = thread_data;
      int ret;
 
-     pthread_mutex_lock(&thread_list_mutex);
-
      number_of_thread--;
      ret = number_of_thread;
     
@@ -137,6 +137,9 @@
                                              struct thread_data *data,
                                              struct client_info *client)
 {
+     /* lock the whole list before walking it */
+     pthread_mutex_lock(&thread_list_mutex);
+
      struct thread_data *current = thread_data; /* head of the list */
      struct tftp_opt *tftp_options = data->tftp_options;
      struct client_info *tmp;
@@ -152,7 +155,4 @@
      len = (int)((unsigned long)index - (unsigned long)options);
 
-     /* lock the whole list before walking it */
-     pthread_mutex_lock(&thread_list_mutex);
-
      while (current)
      {
@@ -214,9 +214,9 @@
 void tftpd_clientlist_remove(struct thread_data *thread,
                              struct client_info *client)
 {
+     pthread_mutex_lock(&thread->client_mutex);
      struct client_info *tmp = thread->client_info;
 
-     pthread_mutex_lock(&thread->client_mutex);
      while ((tmp->next != client) && (tmp->next != NULL))
           tmp = tmp->next;
      if (tmp->next == NULL)
@@ -230,10 +230,11 @@
  */
 void tftpd_clientlist_free(struct thread_data *thread)
 {
+     pthread_mutex_lock(&thread->client_mutex);
+
      struct client_info *tmp;
      struct client_info *head = thread->client_info;
 
-     pthread_mutex_lock(&thread->client_mutex);
      while (head)
      {
           tmp = head;
@@ -250,10 +251,10 @@
                           struct client_info *client,
                           struct sockaddr_storage *sock)
 {
-     struct client_info *head = thread->client_info;
-
      pthread_mutex_lock(&thread->client_mutex);
 
+     struct client_info *head = thread->client_info;
+
      if (client)
      {
           client->done = 1;
@@ -334,10 +335,9 @@
 
 void tftpd_list_kill_threads(void)
 {
-     struct thread_data *current = thread_data; /* head of list */
-
      pthread_mutex_lock(&thread_list_mutex);
 
+     struct thread_data *current = thread_data; /* head of list */
 
      while (current != NULL)
      {
diff -u atftp-0.7.git20120829/tftpd_mtftp.c atftp-0.7.git20120829/tftpd_mtftp.c
--- atftp-0.7.git20120829/tftpd_mtftp.c
+++ atftp-0.7.git20120829/tftpd_mtftp.c
@@ -635,9 +635,7 @@
                     if (sockaddr_equal(sa, &from))
                     {
                          /* Got an ERROR from the current master client */
-                         Strncpy(string, tftphdr->th_msg,
-                                 (((data_size - 4) > MAXLEN) ? MAXLEN :
-                                  (data_size - 4)));
+                         Strncpy(string, tftphdr->th_msg, sizeof(string));
                          if (data->mtftp_data->trace)
                               logger(LOG_DEBUG, "received ERROR <code: %d, msg: %s>",
                                      ntohs(tftphdr->th_code), string);

--- End Message ---
--- Begin Message --- 
Unblocked atftp.

--- End Message ---
Reply to: