Bug#1105890: unblock: net-tools/2.10-1.2
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: net-tools@packages.debian.org, Martina Ferrari <tina@debian.org>, Utkarsh Gupta <utkarsh@debian.org>, carnil@debian.org
Control: affects -1 + src:net-tools
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear release team,
Please unblock package net-tools
[ Reason ]
Fixing a stack-based bufferoverflow in get_name() from
lib/interface.c. Utilities (for instance ifconfig) does not proerly
validate data from /proc, get_name() copies the interface labels from
/proc/net/dev into a fixed size stack buffer without further bound
checking.
[ Impact ]
Crash of tools from net-tools but might lead to arbitrary execution of
code (to remove the privilege escalation path one might disable
unpriv. usernamespaces as mitigation)
[ Tests ]
Basic local tests only.
[ Risks ]
Patch comes directly from upstream and acked by the reporter upstream.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
Nothing else to mention.
Regards,
Salvatore
diff -Nru net-tools-2.10/debian/changelog net-tools-2.10/debian/changelog
--- net-tools-2.10/debian/changelog 2024-04-22 01:55:29.000000000 +0200
+++ net-tools-2.10/debian/changelog 2025-05-15 05:43:50.000000000 +0200
@@ -1,3 +1,11 @@
+net-tools (2.10-1.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2025-46836: interface.c: Stack-based Buffer Overflow in get_name()
+ (Closes: #1105806)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Thu, 15 May 2025 05:43:50 +0200
+
net-tools (2.10-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru net-tools-2.10/debian/patches/CVE-2025-46836-interface.c-Stack-based-Buffer-Overfl.patch net-tools-2.10/debian/patches/CVE-2025-46836-interface.c-Stack-based-Buffer-Overfl.patch
--- net-tools-2.10/debian/patches/CVE-2025-46836-interface.c-Stack-based-Buffer-Overfl.patch 1970-01-01 01:00:00.000000000 +0100
+++ net-tools-2.10/debian/patches/CVE-2025-46836-interface.c-Stack-based-Buffer-Overfl.patch 2025-05-15 05:43:50.000000000 +0200
@@ -0,0 +1,92 @@
+From: Zephkeks <zephyrofficialdiscord@gmail.com>
+Date: Tue, 13 May 2025 11:04:17 +0200
+Subject: CVE-2025-46836: interface.c: Stack-based Buffer Overflow in
+ get_name()
+Origin: https://github.com/ecki/net-tools/commit/7a8f42fb20013a1493d8cae1c43436f85e656f2d
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-46836
+Bug-Debian: https://bugs.debian.org/1105806
+
+Coordinated as GHSA-pfwf-h6m3-63wf
+---
+ lib/interface.c | 63 ++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 39 insertions(+), 24 deletions(-)
+
+diff --git a/lib/interface.c b/lib/interface.c
+index 71d4163ac36f..a054f126e2f1 100644
+--- a/lib/interface.c
++++ b/lib/interface.c
+@@ -211,32 +211,47 @@ out:
+ }
+
+ static const char *get_name(char *name, const char *p)
++/* Safe version — guarantees at most IFNAMSIZ‑1 bytes are copied
++ and the destination buffer is always NUL‑terminated. */
+ {
+- while (isspace(*p))
+- p++;
+- while (*p) {
+- if (isspace(*p))
+- break;
+- if (*p == ':') { /* could be an alias */
+- const char *dot = p++;
+- while (*p && isdigit(*p)) p++;
+- if (*p == ':') {
+- /* Yes it is, backup and copy it. */
+- p = dot;
+- *name++ = *p++;
+- while (*p && isdigit(*p)) {
+- *name++ = *p++;
+- }
+- } else {
+- /* No, it isn't */
+- p = dot;
+- }
+- p++;
+- break;
+- }
+- *name++ = *p++;
++ char *dst = name; /* current write ptr */
++ const char *end = name + IFNAMSIZ - 1; /* last byte we may write */
++
++ /* Skip leading white‑space. */
++ while (isspace((unsigned char)*p))
++ ++p;
++
++ /* Copy until white‑space, end of string, or buffer full. */
++ while (*p && !isspace((unsigned char)*p) && dst < end) {
++ if (*p == ':') { /* possible alias veth0:123: */
++ const char *dot = p; /* remember the colon */
++ ++p;
++ while (*p && isdigit((unsigned char)*p))
++ ++p;
++
++ if (*p == ':') { /* confirmed alias */
++ p = dot; /* rewind and copy it all */
++
++ /* copy the colon */
++ if (dst < end)
++ *dst++ = *p++;
++
++ /* copy the digits */
++ while (*p && isdigit((unsigned char)*p) && dst < end)
++ *dst++ = *p++;
++
++ if (*p == ':') /* consume trailing colon */
++ ++p;
++ } else { /* if so treat as normal */
++ p = dot;
++ }
++ break; /* interface name ends here */
++ }
++
++ *dst++ = *p++; /* ordinary character copy */
+ }
+- *name++ = '\0';
++
++ *dst = '\0'; /* always NUL‑terminate */
+ return p;
+ }
+
+--
+2.49.0
+
diff -Nru net-tools-2.10/debian/patches/series net-tools-2.10/debian/patches/series
--- net-tools-2.10/debian/patches/series 2023-11-23 15:37:17.000000000 +0100
+++ net-tools-2.10/debian/patches/series 2025-05-15 05:43:50.000000000 +0200
@@ -3,3 +3,4 @@
Add_missing_headers.patch
Bug_900962-man-de-typos.patch
Bug_549397-fix-decoding-of-MII-vendor-ids.patch
+CVE-2025-46836-interface.c-Stack-based-Buffer-Overfl.patch
Reply to: