--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: net-tools@packages.debian.org, Martina Ferrari <tina@debian.org>, Utkarsh Gupta <utkarsh@debian.org>, team@security.debian.org, carnil@debian.org
Control: affects -1 + src:net-tools
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear release team,
Please unblock package net-tools
[ Reason ]
The main reason is a regression reported both in the last upload for
unstable (and in trixie) from the fix for CVE-2025-46836. As reported
by Christian Herzog in #1106147 in fact the RX counters remain at zero
after the update for ifconfig. Additionally the update includes DEP8
tests and adds two more security fixes (with no CVE so far). A
regression update from the DSA should be released as well, but we
might want to give the package in unstable some more exposure.
[ Impact ]
RX counters remains at zero, which may count as major functional
regression.
[ Tests ]
Manual tests for the ifconfig issue. Additionally the new autopkgtests
are run.
[ Risks ]
The fixes are targeted for the issues.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
As mentioned above we are holding back a regression update for the DSA
yet and gave the update in unstable bit more exposure. I'm not aware
of other new reports for net-tools.
unblock net-tools/2.10-1.3
Regards,
Salvatore
diff -Nru net-tools-2.10/debian/changelog net-tools-2.10/debian/changelog
--- net-tools-2.10/debian/changelog 2025-05-15 05:43:50.000000000 +0200
+++ net-tools-2.10/debian/changelog 2025-05-22 06:42:28.000000000 +0200
@@ -1,3 +1,18 @@
+net-tools (2.10-1.3) unstable; urgency=medium
+
+ [ Lena Voytek ]
+ * Add new DEP8 tests for hostname and ifconfig
+
+ [ Salvatore Bonaccorso ]
+ * Non-maintainer upload.
+ * Run ifconfig-lo-info autopkgtest with /usr/sbin in PATH for ifconfig
+ * ipmaddr.c: Stack-based buffer Overflow in parse_hex()
+ * Fix interface statistic regression.
+ Thanks to Christian Herzog for the report (Closes: #1106147)
+ * proc.c: Stack-based Buffer Overflow in net-tools (proc_gen_fmt)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Thu, 22 May 2025 06:42:28 +0200
+
net-tools (2.10-1.2) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru net-tools-2.10/debian/patches/Interface-statistic-regression-after-7a8f42fb2.patch net-tools-2.10/debian/patches/Interface-statistic-regression-after-7a8f42fb2.patch
--- net-tools-2.10/debian/patches/Interface-statistic-regression-after-7a8f42fb2.patch 1970-01-01 01:00:00.000000000 +0100
+++ net-tools-2.10/debian/patches/Interface-statistic-regression-after-7a8f42fb2.patch 2025-05-22 06:42:28.000000000 +0200
@@ -0,0 +1,32 @@
+From: Bernd Eckenfels <net-tools@lina.inka.de>
+Date: Sat, 17 May 2025 21:53:23 +0200
+Subject: Interface statistic regression after 7a8f42fb2
+Origin: https://github.com/ecki/net-tools/commit/ddb0e375fb9ca95bb69335540b85bbdaa2714348
+Bug-Debian: https://bugs.debian.org/1106147
+
+---
+ lib/interface.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/lib/interface.c b/lib/interface.c
+index a054f126e2f1..ca4adf1a9a53 100644
+--- a/lib/interface.c
++++ b/lib/interface.c
+@@ -239,12 +239,11 @@ static const char *get_name(char *name, const char *p)
+ /* copy the digits */
+ while (*p && isdigit((unsigned char)*p) && dst < end)
+ *dst++ = *p++;
+-
+- if (*p == ':') /* consume trailing colon */
+- ++p;
+ } else { /* if so treat as normal */
+ p = dot;
+ }
++ if (*p == ':') /* consume trailing colon */
++ ++p;
+ break; /* interface name ends here */
+ }
+
+--
+2.49.0
+
diff -Nru net-tools-2.10/debian/patches/ipmaddr.c-Stack-based-buffer-Overflow-in-parse_hex.patch net-tools-2.10/debian/patches/ipmaddr.c-Stack-based-buffer-Overflow-in-parse_hex.patch
--- net-tools-2.10/debian/patches/ipmaddr.c-Stack-based-buffer-Overflow-in-parse_hex.patch 1970-01-01 01:00:00.000000000 +0100
+++ net-tools-2.10/debian/patches/ipmaddr.c-Stack-based-buffer-Overflow-in-parse_hex.patch 2025-05-22 06:42:28.000000000 +0200
@@ -0,0 +1,56 @@
+From: Bernd Eckenfels <net-tools@lina.inka.de>
+Date: Sat, 17 May 2025 21:11:07 +0200
+Subject: ipmaddr.c: Stack-based buffer Overflow in parse_hex()
+Origin: https://github.com/ecki/net-tools/commit/a7926399a04ee8e629a02a2aeb6de1952d42d559
+
+Coordinated as GHSA-h667-qrp8-gj58.
+---
+ ipmaddr.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/ipmaddr.c b/ipmaddr.c
+index 64b7564372ea..623fadd4f09d 100644
+--- a/ipmaddr.c
++++ b/ipmaddr.c
+@@ -91,17 +91,17 @@ static int parse_lla(char *str, char *addr)
+ return len;
+ }
+
+-static int parse_hex(char *str, unsigned char *addr)
++static int parse_hex(char *str, unsigned char *dst, size_t dstlen)
+ {
+ int len=0;
+
+- while (*str) {
++ while (len < dstlen && *str) {
+ int tmp;
+ if (str[1] == 0)
+ return -1;
+ if (sscanf(str, "%02x", &tmp) != 1)
+ return -1;
+- addr[len] = tmp;
++ dst[len] = tmp;
+ len++;
+ str += 2;
+ }
+@@ -152,7 +152,7 @@ void read_dev_mcast(struct ma_info **result_p)
+
+ m.addr.family = AF_PACKET;
+
+- len = parse_hex(hexa, (unsigned char*)&m.addr.data);
++ len = parse_hex(hexa, (unsigned char*)&m.addr.data, sizeof(m.addr.data));
+ if (len >= 0) {
+ struct ma_info *ma = xmalloc(sizeof(m));
+ memcpy(ma, &m, sizeof(m));
+@@ -222,7 +222,7 @@ void read_igmp6(struct ma_info **result_p)
+
+ m.addr.family = AF_INET6;
+
+- len = parse_hex(hexa, (unsigned char*)&m.addr.data);
++ len = parse_hex(hexa, (unsigned char*)&m.addr.data, sizeof(m.addr.data));
+ if (len >= 0) {
+ struct ma_info *ma = xmalloc(sizeof(m));
+ memcpy(ma, &m, sizeof(m));
+--
+2.49.0
+
diff -Nru net-tools-2.10/debian/patches/proc.c-Stack-based-Buffer-Overflow-in-net-tools-proc.patch net-tools-2.10/debian/patches/proc.c-Stack-based-Buffer-Overflow-in-net-tools-proc.patch
--- net-tools-2.10/debian/patches/proc.c-Stack-based-Buffer-Overflow-in-net-tools-proc.patch 1970-01-01 01:00:00.000000000 +0100
+++ net-tools-2.10/debian/patches/proc.c-Stack-based-Buffer-Overflow-in-net-tools-proc.patch 2025-05-22 06:42:28.000000000 +0200
@@ -0,0 +1,68 @@
+From: Zephkeks <zephyrofficialdiscord@gmail.com>
+Date: Sat, 17 May 2025 22:11:37 +0200
+Subject: proc.c: Stack-based Buffer Overflow in net-tools (proc_gen_fmt)
+Origin: https://github.com/ecki/net-tools/commit/84041080a5d4794045b098ced90e0309bcbcff44
+
+Coordinated as GHSA-w7jq-cmw2-cq59.
+---
+ lib/proc.c | 37 ++++++++++++++++++++++++++++++++++---
+ 1 file changed, 34 insertions(+), 3 deletions(-)
+
+--- a/lib/proc.c
++++ b/lib/proc.c
+@@ -17,6 +17,8 @@ char *proc_gen_fmt(const char *name, int
+ char buf[512], format[512] = "";
+ char *title, *head, *hdr;
+ va_list ap;
++ size_t format_len = 0;
++ size_t format_size = sizeof(format);
+
+ if (!fgets(buf, (sizeof buf) - 1, fh))
+ return NULL;
+@@ -33,14 +35,43 @@ char *proc_gen_fmt(const char *name, int
+ *hdr++ = 0;
+
+ if (!strcmp(title, head)) {
+- strcat(format, va_arg(ap, char *));
++ const char *arg = va_arg(ap, char *);
++ size_t arg_len = strlen(arg);
++
++ /* Check if we have enough space for format specifier + space */
++ if (format_len + arg_len + 1 >= format_size) {
++ fprintf(stderr, "warning: format buffer overflow in %s\n", name);
++ va_end(ap);
++ return NULL;
++ }
++
++ strcpy(format + format_len, arg);
++ format_len += arg_len;
++
+ title = va_arg(ap, char *);
+ if (!title || !head)
+ break;
+ } else {
+- strcat(format, "%*s"); /* XXX */
++ /* Check if we have enough space for "%*s" */
++ if (format_len + 3 >= format_size) {
++ fprintf(stderr, "warning: format buffer overflow in %s\n", name);
++ va_end(ap);
++ return NULL;
++ }
++
++ strcpy(format + format_len, "%*s");
++ format_len += 3;
+ }
+- strcat(format, " ");
++
++ /* Check if we have space for the trailing space */
++ if (format_len + 1 >= format_size) {
++ fprintf(stderr, "warning: format buffer overflow in %s\n", name);
++ va_end(ap);
++ return NULL;
++ }
++
++ format[format_len++] = ' ';
++ format[format_len] = '\0';
+ }
+ va_end(ap);
+
diff -Nru net-tools-2.10/debian/patches/series net-tools-2.10/debian/patches/series
--- net-tools-2.10/debian/patches/series 2025-05-15 05:43:50.000000000 +0200
+++ net-tools-2.10/debian/patches/series 2025-05-22 06:42:28.000000000 +0200
@@ -4,3 +4,6 @@
Bug_900962-man-de-typos.patch
Bug_549397-fix-decoding-of-MII-vendor-ids.patch
CVE-2025-46836-interface.c-Stack-based-Buffer-Overfl.patch
+ipmaddr.c-Stack-based-buffer-Overflow-in-parse_hex.patch
+Interface-statistic-regression-after-7a8f42fb2.patch
+proc.c-Stack-based-Buffer-Overflow-in-net-tools-proc.patch
diff -Nru net-tools-2.10/debian/tests/control net-tools-2.10/debian/tests/control
--- net-tools-2.10/debian/tests/control 1970-01-01 01:00:00.000000000 +0100
+++ net-tools-2.10/debian/tests/control 2025-05-22 06:42:28.000000000 +0200
@@ -0,0 +1,6 @@
+Tests: hostname-set-get
+Depends: net-tools
+Restrictions: needs-root, breaks-testbed
+
+Tests: ifconfig-lo-info
+Depends: net-tools
diff -Nru net-tools-2.10/debian/tests/hostname-set-get net-tools-2.10/debian/tests/hostname-set-get
--- net-tools-2.10/debian/tests/hostname-set-get 1970-01-01 01:00:00.000000000 +0100
+++ net-tools-2.10/debian/tests/hostname-set-get 2025-05-22 06:42:28.000000000 +0200
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+set -e
+
+ORIGINAL_HOSTNAME=$(hostname)
+
+# Test hostname set using: hostname [newname]
+TEST_HOSTNAME="TestHostname"
+hostname "${TEST_HOSTNAME}"
+
+if [ "$(hostname)" != "${TEST_HOSTNAME}" ]; then
+ echo "Failed to set hostname to ${TEST_HOSTNAME} using hostname [newname]"
+ exit 1
+fi
+
+# Test hostname set using: hostname [-F filename | --file filename]
+TEST_HOSTNAME="testF"
+HOSTNAME_FILENAME="hostnamefile"
+
+touch "${HOSTNAME_FILENAME}"
+echo "${TEST_HOSTNAME}" > "${HOSTNAME_FILENAME}"
+hostname -F "${HOSTNAME_FILENAME}"
+rm "${HOSTNAME_FILENAME}"
+
+if [ "$(hostname)" != "${TEST_HOSTNAME}" ]; then
+ echo "Failed to set hostname to ${TEST_HOSTNAME} using hostname -F ${HOSTNAME_FILENAME}"
+ exit 1
+fi
+
+TEST_HOSTNAME="testfile"
+
+touch "${HOSTNAME_FILENAME}"
+echo "${TEST_HOSTNAME}" > "${HOSTNAME_FILENAME}"
+hostname --file "${HOSTNAME_FILENAME}"
+rm "${HOSTNAME_FILENAME}"
+
+if [ "$(hostname)" != "${TEST_HOSTNAME}" ]; then
+ echo "Failed to set hostname to ${TEST_HOSTNAME} using hostname --file ${HOSTNAME_FILENAME}"
+ exit 1
+fi
+
+# Return to original hostname
+hostname "${ORIGINAL_HOSTNAME}"
+
+if [ "$(hostname)" != "${ORIGINAL_HOSTNAME}" ]; then
+ echo "Failed to set hostname back to ${ORIGINAL_HOSTNAME}"
+ exit 1
+fi
diff -Nru net-tools-2.10/debian/tests/ifconfig-lo-info net-tools-2.10/debian/tests/ifconfig-lo-info
--- net-tools-2.10/debian/tests/ifconfig-lo-info 1970-01-01 01:00:00.000000000 +0100
+++ net-tools-2.10/debian/tests/ifconfig-lo-info 2025-05-22 06:42:28.000000000 +0200
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+PATH="/usr/sbin:${PATH}"
+export PATH
+
+set -e
+
+# Confirm loopback is in the normal list
+if ! ( ifconfig | grep -q lo: ); then
+ echo "Failed to get lo from ifconfig"
+ exit 1
+fi
+
+# Confirm correctness of loopback device
+LO_OUTPUT=$(ifconfig lo)
+
+if ! ( echo "${LO_OUTPUT}" | grep -q lo: ); then
+ echo "Failed to get lo from ifconfig lo"
+ exit 1
+fi
+
+if ! ( echo "${LO_OUTPUT}" | grep -q "inet 127.0.0.1" ); then
+ echo "Failed to get IP of 127.0.0.1 from ifconfig lo"
+ exit 1
+fi
--- End Message ---