[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#983110: marked as done (buster-pu: package ipmitool/1.8.18-6 (CVE-2020-5208))

Your message dated Sat, 19 Jun 2021 10:56:39 +0100
with message-id <5c65c3ad2ac9b1b1f78bf73b1cf073041e619b51.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.10 point release
has caused the Debian Bug report #983110,
regarding buster-pu: package ipmitool/1.8.18-6 (CVE-2020-5208)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
983110: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983110
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear Stable release team,

I would like to update the ipmitool package in Buster, to
address CVE-2020-5208. Attached is the debdiff including
the upstream patches, backported to the current codebase
in Buster. Please allow me to upload.

Note that I already uploaded this to Sid, through the
DELAYED/5 queue. I was also able to quickly check that the
basic ipmitool functionalities work (ie: by using ipmitool
commands like "chassis power status" and so on...).

Cheers,

Thomas Goirand (zigo)

diff -Nru ipmitool-1.8.18/debian/changelog ipmitool-1.8.18/debian/changelog
--- ipmitool-1.8.18/debian/changelog	2018-08-05 12:20:50.000000000 +0200
+++ ipmitool-1.8.18/debian/changelog	2021-02-19 11:30:06.000000000 +0100
@@ -1,3 +1,18 @@
+ipmitool (1.8.18-6+deb10u1) buster-security; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2020-5208: buffer overflows and potentially to remote code execution.
+    Applied upstream patches:
+    - CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch
+    - CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
+    - CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch
+    - CVE-2020-5208_4-channel-Fix-buffer-overflow.patch
+    - CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
+    - CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch
+    (Closes: #950761).
+
+ -- Thomas Goirand <zigo@debian.org>  Fri, 19 Feb 2021 11:30:06 +0100
+
 ipmitool (1.8.18-6) unstable; urgency=medium
 
   * debian/changelog:
diff -Nru ipmitool-1.8.18/debian/patches/CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch ipmitool-1.8.18/debian/patches/CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch
--- ipmitool-1.8.18/debian/patches/CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch	1970-01-01 01:00:00.000000000 +0100
+++ ipmitool-1.8.18/debian/patches/CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch	2021-02-19 11:27:50.000000000 +0100
@@ -0,0 +1,120 @@
+Description: fru: Fix buffer overflow vulnerabilities
+ Partial fix for CVE-2020-5208, see
+ https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+ .
+ The `read_fru_area_section` function only performs size validation of
+ requested read size, and falsely assumes that the IPMI message will not
+ respond with more than the requested amount of data; it uses the
+ unvalidated response size to copy into `frubuf`. If the response is
+ larger than the request, this can result in overflowing the buffer.
+ .
+ The same issue affects the `read_fru_area` function.
+Author: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 16:33:59 +0000
+
+Index: ipmitool-1.8.18/lib/ipmi_fru.c
+===================================================================
+--- ipmitool-1.8.18.orig/lib/ipmi_fru.c
++++ ipmitool-1.8.18/lib/ipmi_fru.c
+@@ -615,7 +615,10 @@ int
+ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ 			uint32_t offset, uint32_t length, uint8_t *frubuf)
+ {
+-	uint32_t off = offset, tmp, finish;
++	uint32_t off = offset;
++	uint32_t tmp;
++	uint32_t finish;
++	uint32_t size_left_in_buffer;
+ 	struct ipmi_rs * rsp;
+ 	struct ipmi_rq req;
+ 	uint8_t msg_data[4];
+@@ -628,10 +631,12 @@ read_fru_area(struct ipmi_intf * intf, s
+ 
+ 	finish = offset + length;
+ 	if (finish > fru->size) {
++		memset(frubuf + fru->size, 0, length - fru->size);
+ 		finish = fru->size;
+ 		lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
+ 			"Adjusting to %d",
+ 			offset + length, finish - offset);
++		length = finish - offset;
+ 	}
+ 
+ 	memset(&req, 0, sizeof(req));
+@@ -667,6 +672,7 @@ read_fru_area(struct ipmi_intf * intf, s
+ 		}
+ 	}
+ 
++	size_left_in_buffer = length;
+ 	do {
+ 		tmp = fru->access ? off >> 1 : off;
+ 		msg_data[0] = id;
+@@ -707,9 +713,18 @@ read_fru_area(struct ipmi_intf * intf, s
+ 		}
+ 
+ 		tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
++		if(rsp->data_len < 1
++		   || tmp > rsp->data_len - 1
++		   || tmp > size_left_in_buffer)
++		{
++			printf(" Not enough buffer size");
++			return -1;
++		}
++
+ 		memcpy(frubuf, rsp->data + 1, tmp);
+ 		off += tmp;
+ 		frubuf += tmp;
++		size_left_in_buffer -= tmp;
+ 		/* sometimes the size returned in the Info command
+ 		* is too large.  return 0 so higher level function
+ 		* still attempts to parse what was returned */
+@@ -742,7 +757,9 @@ read_fru_area_section(struct ipmi_intf *
+ 			uint32_t offset, uint32_t length, uint8_t *frubuf)
+ {
+ 	static uint32_t fru_data_rqst_size = 20;
+-	uint32_t off = offset, tmp, finish;
++	uint32_t off = offset;
++	uint32_t tmp, finish;
++	uint32_t size_left_in_buffer;
+ 	struct ipmi_rs * rsp;
+ 	struct ipmi_rq req;
+ 	uint8_t msg_data[4];
+@@ -755,10 +772,12 @@ read_fru_area_section(struct ipmi_intf *
+ 
+ 	finish = offset + length;
+ 	if (finish > fru->size) {
++		memset(frubuf + fru->size, 0, length - fru->size);
+ 		finish = fru->size;
+ 		lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
+ 			"Adjusting to %d",
+ 			offset + length, finish - offset);
++		length = finish - offset;
+ 	}
+ 
+ 	memset(&req, 0, sizeof(req));
+@@ -773,6 +792,8 @@ read_fru_area_section(struct ipmi_intf *
+ 	if (fru->access && fru_data_rqst_size > 16)
+ #endif
+ 		fru_data_rqst_size = 16;
++
++	size_left_in_buffer = length;
+ 	do {
+ 		tmp = fru->access ? off >> 1 : off;
+ 		msg_data[0] = id;
+@@ -804,8 +825,16 @@ read_fru_area_section(struct ipmi_intf *
+ 		}
+ 
+ 		tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
++		if(rsp->data_len < 1
++		   || tmp > rsp->data_len - 1
++		   || tmp > size_left_in_buffer)
++		{
++			printf(" Not enough buffer size");
++			return -1;
++		}
+ 		memcpy((frubuf + off)-offset, rsp->data + 1, tmp);
+ 		off += tmp;
++		size_left_in_buffer -= tmp;
+ 
+ 		/* sometimes the size returned in the Info command
+ 		* is too large.  return 0 so higher level function
diff -Nru ipmitool-1.8.18/debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch ipmitool-1.8.18/debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
--- ipmitool-1.8.18/debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch	1970-01-01 01:00:00.000000000 +0100
+++ ipmitool-1.8.18/debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch	2021-02-19 11:27:50.000000000 +0100
@@ -0,0 +1,48 @@
+From 840fb1cbb4fb365cb9797300e3374d4faefcdb10 Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 16:44:18 +0000
+Subject: [PATCH 2/6] fru: Fix buffer overflow in ipmi_spd_print_fru
+
+Partial fix for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+The `ipmi_spd_print_fru` function has a similar issue as the one fixed
+by the previous commit in `read_fru_area_section`. An initial request is
+made to get the `fru.size`, which is used as the size for the allocation
+of `spd_data`. Inside a loop, further requests are performed to get the
+copy sizes which are not checked before being used as the size for a
+copy into the buffer.
+---
+ lib/dimm_spd.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c
+index 163a2c2..d559cb4 100644
+--- a/lib/dimm_spd.c
++++ b/lib/dimm_spd.c
+@@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
+ 	struct ipmi_rq req;
+ 	struct fru_info fru;
+ 	uint8_t *spd_data, msg_data[4];
+-	int len, offset;
++	uint32_t len, offset;
+ 
+ 	msg_data[0] = id;
+ 
+@@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
+ 		}
+ 
+ 		len = rsp->data[0];
++		if(rsp->data_len < 1
++		   || len > rsp->data_len - 1
++		   || len > fru.size - offset)
++		{
++			printf(" Not enough buffer size");
++			return -1;
++		}
+ 		memcpy(&spd_data[offset], rsp->data + 1, len);
+ 		offset += len;
+ 	} while (offset < fru.size);
+-- 
+2.20.1
+
diff -Nru ipmitool-1.8.18/debian/patches/CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch ipmitool-1.8.18/debian/patches/CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch
--- ipmitool-1.8.18/debian/patches/CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch	1970-01-01 01:00:00.000000000 +0100
+++ ipmitool-1.8.18/debian/patches/CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch	2021-02-19 11:27:50.000000000 +0100
@@ -0,0 +1,48 @@
+From 41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22 Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 16:51:49 +0000
+Subject: [PATCH 3/6] session: Fix buffer overflow in ipmi_get_session_info
+
+Partial fix for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+The `ipmi_get_session_info` function does not properly check the
+response `data_len`, which is used as a copy size, allowing stack buffer
+overflow.
+---
+ lib/ipmi_session.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/lib/ipmi_session.c b/lib/ipmi_session.c
+index ecf4afc..b282d6d 100644
+--- a/lib/ipmi_session.c
++++ b/lib/ipmi_session.c
+@@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf         * intf,
+ 		}
+ 		else
+ 		{
+-			memcpy(&session_info,  rsp->data, rsp->data_len);
+-			print_session_info(&session_info, rsp->data_len);
++			memcpy(&session_info,  rsp->data,
++			       __min(rsp->data_len, sizeof(session_info)));
++			print_session_info(&session_info,
++			                   __min(rsp->data_len, sizeof(session_info)));
+ 		}
+ 		break;
+ 		
+@@ -341,8 +343,10 @@ ipmi_get_session_info(struct ipmi_intf         * intf,
+ 				break;
+ 			}
+ 
+-			memcpy(&session_info,  rsp->data, rsp->data_len);
+-			print_session_info(&session_info, rsp->data_len);
++			memcpy(&session_info,  rsp->data,
++			       __min(rsp->data_len, sizeof(session_info)));
++			print_session_info(&session_info,
++			                   __min(rsp->data_len, sizeof(session_info)));
+ 			
+ 		} while (i <= session_info.session_slot_count);
+ 		break;
+-- 
+2.20.1
+
diff -Nru ipmitool-1.8.18/debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch ipmitool-1.8.18/debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch
--- ipmitool-1.8.18/debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch	1970-01-01 01:00:00.000000000 +0100
+++ ipmitool-1.8.18/debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch	2021-02-19 11:27:50.000000000 +0100
@@ -0,0 +1,37 @@
+Subject: [PATCH 4/6] channel: Fix buffer overflow
+ Partial fix for CVE-2020-5208, see
+ https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+ .
+ The `ipmi_get_channel_cipher_suites` function does not properly check
+ the final response’s `data_len`, which can lead to stack buffer overflow
+ on the final copy.
+ From 9452be87181a6e83cfcc768b3ed8321763db50e4 Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 16:56:38 +0000
+Last-Update: 2021-02-08
+
+--- ipmitool-1.8.18.orig/lib/ipmi_channel.c
++++ ipmitool-1.8.18/lib/ipmi_channel.c
+@@ -413,7 +413,10 @@ ipmi_get_channel_cipher_suites(struct ip
+ 			lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
+ 			return -1;
+ 		}
+-		if (rsp->ccode > 0) {
++		if (rsp->ccode
++			|| rsp->data_len < 1
++			|| rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN)
++		{
+ 			lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
+ 					val2str(rsp->ccode, completion_code_vals));
+ 			return -1;
+--- a/include/ipmitool/ipmi_channel.h	2016-05-29 21:46:53.000000000 +0200
++++ b/include/ipmitool/ipmi_channel.h	2021-02-08 23:45:10.598535426 +0100
+@@ -77,6 +77,8 @@
+ 	uint8_t user_level_auth;
+ };
+ 
++#define MAX_CIPHER_SUITE_DATA_LEN 0x10
++
+ /*
+  * The Get Authentication Capabilities response structure
+  * From table 22-15 of the IPMI v2.0 spec
diff -Nru ipmitool-1.8.18/debian/patches/CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch ipmitool-1.8.18/debian/patches/CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
--- ipmitool-1.8.18/debian/patches/CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch	1970-01-01 01:00:00.000000000 +0100
+++ ipmitool-1.8.18/debian/patches/CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch	2021-02-19 11:27:50.000000000 +0100
@@ -0,0 +1,85 @@
+From d45572d71e70840e0d4c50bf48218492b79c1a10 Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 17:06:39 +0000
+Subject: [PATCH 5/6] lanp: Fix buffer overflows in get_lan_param_select
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Partial fix for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+The `get_lan_param_select` function is missing a validation check on the
+response’s `data_len`, which it then returns to caller functions, where
+stack buffer overflow can occur.
+---
+ lib/ipmi_lanp.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+Index: ipmitool-1.8.18/lib/ipmi_lanp.c
+===================================================================
+--- ipmitool-1.8.18.orig/lib/ipmi_lanp.c
++++ ipmitool-1.8.18/lib/ipmi_lanp.c
+@@ -1809,7 +1809,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 		/* set new ipaddr */
+ 		memcpy(data+3, temp, 4);
+ 		printf("Setting LAN Alert %d IP Address to %d.%d.%d.%d\n", alert,
+@@ -1824,7 +1824,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 		/* set new macaddr */
+ 		memcpy(data+7, temp, 6);
+ 		printf("Setting LAN Alert %d MAC Address to "
+@@ -1838,7 +1838,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 
+ 		if (strncasecmp(argv[1], "def", 3) == 0 ||
+ 		    strncasecmp(argv[1], "default", 7) == 0) {
+@@ -1864,7 +1864,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 
+ 		if (strncasecmp(argv[1], "on", 2) == 0 ||
+ 		    strncasecmp(argv[1], "yes", 3) == 0) {
+@@ -1889,7 +1889,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 
+ 		if (strncasecmp(argv[1], "pet", 3) == 0) {
+ 			printf("Setting LAN Alert %d destination to PET Trap\n", alert);
+@@ -1917,7 +1917,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 
+ 		if (str2uchar(argv[1], &data[2]) != 0) {
+ 			lprintf(LOG_ERR, "Invalid time: %s", argv[1]);
+@@ -1933,7 +1933,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 
+ 		if (str2uchar(argv[1], &data[3]) != 0) {
+ 			lprintf(LOG_ERR, "Invalid retry: %s", argv[1]);
diff -Nru ipmitool-1.8.18/debian/patches/CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch ipmitool-1.8.18/debian/patches/CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch
--- ipmitool-1.8.18/debian/patches/CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch	1970-01-01 01:00:00.000000000 +0100
+++ ipmitool-1.8.18/debian/patches/CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch	2021-02-19 11:27:50.000000000 +0100
@@ -0,0 +1,134 @@
+From 7ccea283dd62a05a320c1921e3d8d71a87772637 Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 17:13:45 +0000
+Subject: [PATCH 6/6] fru, sdr: Fix id_string buffer overflows
+
+Final part of the fixes for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+9 variants of stack buffer overflow when parsing `id_string` field of
+SDR records returned from `CMD_GET_SDR` command.
+
+SDR record structs have an `id_code` field, and an `id_string` `char`
+array.
+
+The length of `id_string` is calculated as `(id_code & 0x1f) + 1`,
+which can be larger than expected 16 characters (if `id_code = 0xff`,
+then length will be `(0xff & 0x1f) + 1 = 32`).
+
+In numerous places, this can cause stack buffer overflow when copying
+into fixed buffer of size `17` bytes from this calculated length.
+---
+ lib/ipmi_fru.c |  2 +-
+ lib/ipmi_sdr.c | 40 ++++++++++++++++++++++++----------------
+ 2 files changed, 25 insertions(+), 17 deletions(-)
+
+Index: ipmitool-1.8.18/lib/ipmi_fru.c
+===================================================================
+--- ipmitool-1.8.18.orig/lib/ipmi_fru.c
++++ ipmitool-1.8.18/lib/ipmi_fru.c
+@@ -3062,7 +3062,7 @@ ipmi_fru_print(struct ipmi_intf * intf,
+ 		return 0;
+ 
+ 	memset(desc, 0, sizeof(desc));
+-	memcpy(desc, fru->id_string, fru->id_code & 0x01f);
++	memcpy(desc, fru->id_string, __min(fru->id_code & 0x01f, sizeof(desc)));
+ 	desc[fru->id_code & 0x01f] = 0;
+ 	printf("FRU Device Description : %s (ID %d)\n", desc, fru->device_id);
+ 
+Index: ipmitool-1.8.18/lib/ipmi_sdr.c
+===================================================================
+--- ipmitool-1.8.18.orig/lib/ipmi_sdr.c
++++ ipmitool-1.8.18/lib/ipmi_sdr.c
+@@ -2084,7 +2084,7 @@ ipmi_sdr_print_sensor_eventonly(struct i
+ 		return -1;
+ 
+ 	memset(desc, 0, sizeof (desc));
+-	snprintf(desc, (sensor->id_code & 0x1f) + 1, "%s", sensor->id_string);
++	snprintf(desc, sizeof(desc), "%.*s", (sensor->id_code & 0x1f) + 1, sensor->id_string);
+ 
+ 	if (verbose) {
+ 		printf("Sensor ID              : %s (0x%x)\n",
+@@ -2135,7 +2135,7 @@ ipmi_sdr_print_sensor_mc_locator(struct
+ 		return -1;
+ 
+ 	memset(desc, 0, sizeof (desc));
+-	snprintf(desc, (mc->id_code & 0x1f) + 1, "%s", mc->id_string);
++	snprintf(desc, sizeof(desc), "%.*s", (mc->id_code & 0x1f) + 1, mc->id_string);
+ 
+ 	if (verbose == 0) {
+ 		if (csv_output)
+@@ -2228,7 +2228,7 @@ ipmi_sdr_print_sensor_generic_locator(st
+ 	char desc[17];
+ 
+ 	memset(desc, 0, sizeof (desc));
+-	snprintf(desc, (dev->id_code & 0x1f) + 1, "%s", dev->id_string);
++	snprintf(desc, sizeof(desc), "%.*s", (dev->id_code & 0x1f) + 1, dev->id_string);
+ 
+ 	if (!verbose) {
+ 		if (csv_output)
+@@ -2285,7 +2285,7 @@ ipmi_sdr_print_sensor_fru_locator(struct
+ 	char desc[17];
+ 
+ 	memset(desc, 0, sizeof (desc));
+-	snprintf(desc, (fru->id_code & 0x1f) + 1, "%s", fru->id_string);
++	snprintf(desc, sizeof(desc), "%.*s", (fru->id_code & 0x1f) + 1, fru->id_string);
+ 
+ 	if (!verbose) {
+ 		if (csv_output)
+@@ -2489,35 +2489,43 @@ ipmi_sdr_print_name_from_rawentry(struct
+ 
+    int rc =0;
+    char desc[17];
++   const char *id_string;
++   uint8_t id_code;
+    memset(desc, ' ', sizeof (desc));
+ 
+    switch ( type) {
+       case SDR_RECORD_TYPE_FULL_SENSOR:
+       record.full = (struct sdr_record_full_sensor *) raw;
+-      snprintf(desc, (record.full->id_code & 0x1f) +1, "%s",
+-               (const char *)record.full->id_string);
++      id_code = record.full->id_code;
++      id_string = record.full->id_string;
+       break;
++
+       case SDR_RECORD_TYPE_COMPACT_SENSOR:
+       record.compact = (struct sdr_record_compact_sensor *) raw	;
+-      snprintf(desc, (record.compact->id_code & 0x1f)  +1, "%s",
+-               (const char *)record.compact->id_string);
++      id_code = record.compact->id_code;
++      id_string = record.compact->id_string;
+       break;
++
+       case SDR_RECORD_TYPE_EVENTONLY_SENSOR:
+       record.eventonly  = (struct sdr_record_eventonly_sensor *) raw ;
+-      snprintf(desc, (record.eventonly->id_code & 0x1f)  +1, "%s",
+-               (const char *)record.eventonly->id_string);
+-      break;            
++      id_code = record.eventonly->id_code;
++      id_string = record.eventonly->id_string;
++      break;
++
+       case SDR_RECORD_TYPE_MC_DEVICE_LOCATOR:
+       record.mcloc  = (struct sdr_record_mc_locator *) raw ;
+-      snprintf(desc, (record.mcloc->id_code & 0x1f)  +1, "%s",
+-               (const char *)record.mcloc->id_string);		
++      id_code = record.mcloc->id_code;
++      id_string = record.mcloc->id_string;
+       break;
++
+       default:
+       rc = -1;
+-      break;
+-   }   
++   }
++   if (!rc) {
++       snprintf(desc, sizeof(desc), "%.*s", (id_code & 0x1f) + 1, id_string);
++   }
+ 
+-      lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc);
++   lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc);
+    return rc;
+ }
+ 
diff -Nru ipmitool-1.8.18/debian/patches/series ipmitool-1.8.18/debian/patches/series
--- ipmitool-1.8.18/debian/patches/series	2018-08-05 11:19:02.000000000 +0200
+++ ipmitool-1.8.18/debian/patches/series	2021-02-19 11:28:47.000000000 +0100
@@ -9,3 +9,9 @@
 0110-getpass-prototype.patch
 0115-typo.patch
 0125-nvidia-iana.patch
+CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch
+CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
+CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch
+CVE-2020-5208_4-channel-Fix-buffer-overflow.patch
+CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
+CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.10

Hi,

Each of the updates referenced in these bugs was included in the 10.10
point release today.

Regards,

Adam

--- End Message ---
Reply to: