Bug#1005000: buster-pu: package atftp/0.7.git20120829-3.2~deb10u2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: andi@debian.org
[ Reason ]
Fix of CVE-2021-46671 reported in #1004974.
[ Impact ]
Potential information leak under special circumstances.
[ Tests ]
I checked manually that the changes fix the problem. The version in
testing contains the fix already for a long time and no problems have
been observed.
[ Risks ]
Risks are rather low, as changes are not complicated and in place for
the version in testing since quite some time.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
With the fix applied, options sent to the daemon are better checked
to avoid reading past the end of an array.
[ Other info ]
The same problem exists in bullseye and handled in a separate bullseye-pu.
I am going to upload the fixed version already.
diff -u atftp-0.7.git20120829/debian/changelog atftp-0.7.git20120829/debian/changelog
--- atftp-0.7.git20120829/debian/changelog
+++ atftp-0.7.git20120829/debian/changelog
@@ -1,3 +1,9 @@
+atftp (0.7.git20120829-3.2~deb10u3) buster; urgency=medium
+
+ * Fix for CVE-2021-46671 (Closes: #1004974)
+
+ -- Andreas B. Mundt <andi@debian.org> Fri, 04 Feb 2022 18:47:25 +0100
+
atftp (0.7.git20120829-3.2~deb10u2) buster; urgency=medium
* Fix for CVE-2021-41054 (Closes: #994895)
diff -u atftp-0.7.git20120829/options.c atftp-0.7.git20120829/options.c
--- atftp-0.7.git20120829/options.c
+++ atftp-0.7.git20120829/options.c
@@ -43,6 +43,12 @@
struct tftphdr *tftp_data = (struct tftphdr *)data;
size_t size = data_size - sizeof(tftp_data->th_opcode);
+ /* sanity check - requests always end in a null byte,
+ * check to prevent argz_next from reading past the end of
+ * data, as it doesn't do bounds checks */
+ if (data_size == 0 || data[data_size-1] != '\0')
+ return ERR;
+
/* read filename */
entry = argz_next(tftp_data->th_stuff, size, entry);
if (!entry)
@@ -79,6 +85,12 @@
struct tftphdr *tftp_data = (struct tftphdr *)data;
size_t size = data_size - sizeof(tftp_data->th_opcode);
+ /* sanity check - options always end in a null byte,
+ * check to prevent argz_next from reading past the end of
+ * data, as it doesn't do bounds checks */
+ if (data_size == 0 || data[data_size-1] != '\0')
+ return ERR;
+
while ((entry = argz_next(tftp_data->th_stuff, size, entry)))
{
tmp = entry;
Reply to: