Bug#1005000: buster-pu: package atftp/0.7.git20120829-3.2~deb10u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1005000: buster-pu: package atftp/0.7.git20120829-3.2~deb10u2
From: "Andreas B. Mundt" <andi@debian.org>
Date: Sat, 05 Feb 2022 10:20:24 +0100
Message-id: <[🔎] 164405282493.1727919.18209197761594242273.reportbug@flashgordon>
Reply-to: "Andreas B. Mundt" <andi@debian.org>, 1005000@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: andi@debian.org

[ Reason ]
Fix of CVE-2021-46671 reported in #1004974.

[ Impact ]
Potential information leak under special circumstances.

[ Tests ]
I checked manually that the changes fix the problem.  The version in
testing contains the fix already for a long time and no problems have
been observed.

[ Risks ]
Risks are rather low, as changes are not complicated and in place for
the version in testing since quite some time.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
With the fix applied, options sent to the daemon are better checked
to avoid reading past the end of an array.

[ Other info ]
The same problem exists in bullseye and handled in a separate bullseye-pu.
I am going to upload the fixed version already.

diff -u atftp-0.7.git20120829/debian/changelog atftp-0.7.git20120829/debian/changelog
--- atftp-0.7.git20120829/debian/changelog
+++ atftp-0.7.git20120829/debian/changelog
@@ -1,3 +1,9 @@
+atftp (0.7.git20120829-3.2~deb10u3) buster; urgency=medium
+
+  * Fix for CVE-2021-46671 (Closes: #1004974)
+
+ -- Andreas B. Mundt <andi@debian.org>  Fri, 04 Feb 2022 18:47:25 +0100
+
 atftp (0.7.git20120829-3.2~deb10u2) buster; urgency=medium
 
   * Fix for CVE-2021-41054 (Closes: #994895)
diff -u atftp-0.7.git20120829/options.c atftp-0.7.git20120829/options.c
--- atftp-0.7.git20120829/options.c
+++ atftp-0.7.git20120829/options.c
@@ -43,6 +43,12 @@
      struct tftphdr *tftp_data = (struct tftphdr *)data;
      size_t size = data_size - sizeof(tftp_data->th_opcode);
 
+     /* sanity check - requests always end in a null byte,
+      * check to prevent argz_next from reading past the end of
+      * data, as it doesn't do bounds checks */
+     if (data_size == 0 || data[data_size-1] != '\0')
+          return ERR;
+
      /* read filename */
      entry = argz_next(tftp_data->th_stuff, size, entry);
      if (!entry)
@@ -79,6 +85,12 @@
      struct tftphdr *tftp_data = (struct tftphdr *)data;
      size_t size = data_size - sizeof(tftp_data->th_opcode);
 
+     /* sanity check - options always end in a null byte,
+      * check to prevent argz_next from reading past the end of
+      * data, as it doesn't do bounds checks */
+     if (data_size == 0 || data[data_size-1] != '\0')
+          return ERR;
+
      while ((entry = argz_next(tftp_data->th_stuff, size, entry)))
      {
           tmp = entry;

Reply to:

Follow-Ups:
- Bug#1005000: atftp 0.7.git20120829-3.2~deb10u3 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Bug#1004999: bullseye-pu: package atftp/0.7.git20120829-3.3+deb11u1
Next by Date: Bug#1003176: transition: perl 5.34
Previous by thread: Processed: atftp 0.7.git20120829-3.3+deb11u2 flagged for acceptance
Next by thread: Bug#1005000: atftp 0.7.git20120829-3.2~deb10u3 flagged for acceptance
Index(es):
- Date
- Thread