--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package atftp/0.7.git20120829-3.2~deb10u1
- From: "Andreas B. Mundt" <andi@debian.org>
- Date: Thu, 23 Sep 2021 17:47:51 +0200
- Message-id: <163241207159.537079.1545446625199075199.reportbug@flashgordon>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: andi@debian.org
Hi,
I would like to ask for permission to upload a new atftpd
package 0.7.git20120829-3.2+deb10u2 to fix #994895, buffer
overflow, CVE-2021-41054.
[ Reason ]
Fix a CVE (no DSA)
[ Impact ]
atftpd can be crashed by sending a crafted, but trivial request.
[ Tests ]
I manually tested that the buffer overflow happens in the current
package and is fixed in the new package.
[ Risks ]
very small
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
The patch checks the length of the options of the request and throws an
error if the buffer is too small.
[ Other info ]
I chose the package version to increases from -3.2~deb10u1 to -3.2+deb10u2
diff -u atftp-0.7.git20120829/debian/changelog atftp-0.7.git20120829/debian/changelog
--- atftp-0.7.git20120829/debian/changelog
+++ atftp-0.7.git20120829/debian/changelog
@@ -1,3 +1,9 @@
+atftp (0.7.git20120829-3.2+deb10u2) buster; urgency=medium
+
+ * Fix for CVE-2021-41054 (Closes: #994895)
+
+ -- Andreas B. Mundt <andi@debian.org> Wed, 22 Sep 2021 20:27:34 +0200
+
atftp (0.7.git20120829-3.2~deb10u1) buster; urgency=medium
* Non-maintainer upload.
diff -u atftp-0.7.git20120829/tftpd_file.c atftp-0.7.git20120829/tftpd_file.c
--- atftp-0.7.git20120829/tftpd_file.c
+++ atftp-0.7.git20120829/tftpd_file.c
@@ -183,8 +183,17 @@
/* blksize options */
if ((result = opt_get_blksize(data->tftp_options)) > -1)
{
- if ((result < 8) || (result > 65464))
+ /*
+ * If we receive more options, we have to make sure our buffer for
+ * the OACK is not too small. Use the string representation of
+ * the options here for simplicity, which puts us on the save side.
+ * FIXME: Use independent buffers for OACK and data.
+ */
+ opt_options_to_string(data->tftp_options, string, MAXLEN);
+ if ((result < strlen(string)-2) || (result > 65464))
{
+ logger(LOG_NOTICE, "options <%s> require roughly a blksize of %d for the OACK.",
+ string, strlen(string)-2);
tftp_send_error(sockfd, sa, EOPTNEG, data->data_buffer, data->data_buffer_size);
if (data->trace)
logger(LOG_DEBUG, "sent ERROR <code: %d, msg: %s>", EOPTNEG,
@@ -530,8 +539,17 @@
/* blksize options */
if ((result = opt_get_blksize(data->tftp_options)) > -1)
{
- if ((result < 8) || (result > 65464))
+ /*
+ * If we receive more options, we have to make sure our buffer for
+ * the OACK is not too small. Use the string representation of
+ * the options here for simplicity, which puts us on the save side.
+ * FIXME: Use independent buffers for OACK and data.
+ */
+ opt_options_to_string(data->tftp_options, string, MAXLEN);
+ if ((result < strlen(string)-2) || (result > 65464))
{
+ logger(LOG_NOTICE, "options <%s> require roughly a blksize of %d for the OACK.",
+ string, strlen(string)-2);
tftp_send_error(sockfd, sa, EOPTNEG, data->data_buffer, data->data_buffer_size);
if (data->trace)
logger(LOG_DEBUG, "sent ERROR <code: %d, msg: %s>", EOPTNEG,
--- End Message ---