[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1004999: marked as done (bullseye-pu: package atftp/0.7.git20120829-3.3+deb11u1)

Your message dated Sat, 26 Mar 2022 11:59:13 +0000
with message-id <c4d20274f6d76a43fb574d2177f6e3af4235e4be.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for updates in 11.3
has caused the Debian Bug report #1004999,
regarding bullseye-pu: package atftp/0.7.git20120829-3.3+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1004999: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004999
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: andi@debian.org

[ Reason ]
Fix of CVE-2021-46671 reported in #1004974.

[ Impact ]
Potential information leak under special circumstances.

[ Tests ]
I checked manually that the changes fix the problem.  The version in
testing contains the fix already for a long time and no problems have
been observed.

[ Risks ]
Risks are rather low, as changes are not complicated and in place for
the version in testing since quite some time.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
With the fix applied, options sent to the daemon are better checked
to avoid reading past the end of an array.

[ Other info ]
The same problem exists in buster (I'll open a separate buster-pu).
I am going to upload the fixed version already.

diff -u atftp-0.7.git20120829/debian/changelog atftp-0.7.git20120829/debian/changelog
--- atftp-0.7.git20120829/debian/changelog
+++ atftp-0.7.git20120829/debian/changelog
@@ -1,3 +1,9 @@
+atftp (0.7.git20120829-3.3+deb11u2) bullseye; urgency=medium
+
+  * Fix for CVE-2021-46671 (Closes: #1004974)
+
+ -- Andreas B. Mundt <andi@debian.org>  Fri, 04 Feb 2022 18:09:05 +0100
+
 atftp (0.7.git20120829-3.3+deb11u1) bullseye; urgency=medium
 
   * Fix for CVE-2021-41054 (Closes: #994895)
diff -u atftp-0.7.git20120829/options.c atftp-0.7.git20120829/options.c
--- atftp-0.7.git20120829/options.c
+++ atftp-0.7.git20120829/options.c
@@ -43,6 +43,12 @@
      struct tftphdr *tftp_data = (struct tftphdr *)data;
      size_t size = data_size - sizeof(tftp_data->th_opcode);
 
+     /* sanity check - requests always end in a null byte,
+      * check to prevent argz_next from reading past the end of
+      * data, as it doesn't do bounds checks */
+     if (data_size == 0 || data[data_size-1] != '\0')
+          return ERR;
+
      /* read filename */
      entry = argz_next(tftp_data->th_stuff, size, entry);
      if (!entry)
@@ -79,6 +85,12 @@
      struct tftphdr *tftp_data = (struct tftphdr *)data;
      size_t size = data_size - sizeof(tftp_data->th_opcode);
 
+     /* sanity check - options always end in a null byte,
+      * check to prevent argz_next from reading past the end of
+      * data, as it doesn't do bounds checks */
+     if (data_size == 0 || data[data_size-1] != '\0')
+          return ERR;
+
      while ((entry = argz_next(tftp_data->th_stuff, size, entry)))
      {
           tmp = entry;

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.3

Hi,

The updates referenced by these bugs were included in stable as part of
this morning's 11.3 point release.

Regards,

Adam

--- End Message ---
Reply to: