Date: Friday, January 1, 2021 @ 23:37:15 Author: eworm Revision: 803016
upgpkg: atftp 0.7.2-3: fix CVE-2020-6097 Added: atftp/trunk/0001-Fix-for-DoS-issue-CVE-2020-6097.patch Modified: atftp/trunk/PKGBUILD --------------------------------------------+ 0001-Fix-for-DoS-issue-CVE-2020-6097.patch | 99 +++++++++++++++++++++++++++ PKGBUILD | 10 ++ 2 files changed, 108 insertions(+), 1 deletion(-) Added: 0001-Fix-for-DoS-issue-CVE-2020-6097.patch =================================================================== --- 0001-Fix-for-DoS-issue-CVE-2020-6097.patch (rev 0) +++ 0001-Fix-for-DoS-issue-CVE-2020-6097.patch 2021-01-01 23:37:15 UTC (rev 803016) @@ -0,0 +1,99 @@ +From 96409ef3b9ca061f9527cfaafa778105cf15d994 Mon Sep 17 00:00:00 2001 +From: Peter Kaestle <[email protected]> +Date: Wed, 14 Oct 2020 14:02:41 +0200 +Subject: [PATCH 1/1] Fix for DoS issue CVE-2020-6097 + +"sockaddr_print_addr" of tftpd can be triggered remotely to call +assert(), which will crash the tftpd daemon. See: +https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029 + +"sockaddr_print_addr" originaly had two features: +1) returning pointer to string of the incoming ip address +2) checking whether ss_family of the connection is supported + +To fix the issue, a separate function "sockaddr_family_supported" is +used to take care of 2) and "sockaddr_print_addr" returns an error +message string for unsupported cases when using 1) insert of calling +assert(). + +Signed-off-by: Christian Hesse <[email protected]> +--- + tftp_def.c | 11 ++++++++++- + tftp_def.h | 1 + + tftpd.c | 5 +++++ + tftpd_mtftp.c | 5 +++++ + 4 files changed, 21 insertions(+), 1 deletion(-) + +diff --git a/tftp_def.c b/tftp_def.c +index d457c2a..428a930 100644 +--- a/tftp_def.c ++++ b/tftp_def.c +@@ -180,6 +180,15 @@ int Gethostbyname(char *addr, struct hostent *host) + return OK; + } + ++int ++sockaddr_family_supported(const struct sockaddr_storage *ss) ++{ ++ if (ss->ss_family == AF_INET || ss->ss_family == AF_INET6) ++ return 1; ++ else ++ return 0; ++} ++ + char * + sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len) + { +@@ -189,7 +198,7 @@ sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len) + else if (ss->ss_family == AF_INET6) + addr = &((const struct sockaddr_in6 *)ss)->sin6_addr; + else +- assert(!"sockaddr_print: unsupported address family"); ++ return "sockaddr_print: unsupported address family"; + return (char *)inet_ntop(ss->ss_family, addr, buf, len); + } + +diff --git a/tftp_def.h b/tftp_def.h +index 0841746..458e310 100644 +--- a/tftp_def.h ++++ b/tftp_def.h +@@ -54,6 +54,7 @@ int print_eng(double value, char *string, int size, char *format); + inline char *Strncpy(char *to, const char *from, size_t size); + int Gethostbyname(char *addr, struct hostent *host); + ++int sockaddr_family_supported(const struct sockaddr_storage *ss); + char *sockaddr_print_addr(const struct sockaddr_storage *, char *, size_t); + #define SOCKADDR_PRINT_ADDR_LEN INET6_ADDRSTRLEN + uint16_t sockaddr_get_port(const struct sockaddr_storage *); +diff --git a/tftpd.c b/tftpd.c +index 0b6f6a5..a7561a5 100644 +--- a/tftpd.c ++++ b/tftpd.c +@@ -644,6 +644,11 @@ void *tftpd_receive_request(void *arg) + } + + #ifdef HAVE_WRAP ++ if (!abort && !sockaddr_family_supported(&data->client_info->client)) ++ { ++ logger(LOG_ERR, "Connection from unsupported network address family refused"); ++ abort = 1; ++ } + if (!abort) + { + /* Verify the client has access. We don't look for the name but +diff --git a/tftpd_mtftp.c b/tftpd_mtftp.c +index d420d10..0032905 100644 +--- a/tftpd_mtftp.c ++++ b/tftpd_mtftp.c +@@ -393,6 +393,11 @@ void *tftpd_mtftp_server(void *arg) + &data_size, data->data_buffer); + + #ifdef HAVE_WRAP ++ if (!sockaddr_family_supported(&sa)) ++ { ++ logger(LOG_ERR, "mtftp: Connection from unsupported network address family refused"); ++ continue; ++ } + /* Verify the client has access. We don't look for the name but + rely only on the IP address for that. */ + sockaddr_print_addr(&sa, addr_str, sizeof(addr_str)); Modified: PKGBUILD =================================================================== --- PKGBUILD 2021-01-01 23:06:48 UTC (rev 803015) +++ PKGBUILD 2021-01-01 23:37:15 UTC (rev 803016) @@ -3,7 +3,7 @@ pkgname=atftp pkgver=0.7.2 -pkgrel=2 +pkgrel=3 pkgdesc='Client/server implementation of the TFTP protocol that implements RFCs 1350, 2090, 2347, 2348, and 2349' arch=('x86_64') url='https://sourceforge.net/projects/atftp/' @@ -11,16 +11,24 @@ depends=('pcre' 'readline') backup=('etc/conf.d/atftpd') source=("https://downloads.sf.net/sourceforge/atftp/atftp-$pkgver.tar.gz"; + '0001-Fix-for-DoS-issue-CVE-2020-6097.patch' 'atftpd.service' 'atftpd.conf' 'sysusers.conf' 'tmpfiles.conf') sha256sums=('1ad080674e9f974217b3a703e7356c6c8446dc5e7b2014d0d06e1bfaa11b5041' + '1293479d9aa4bfabfe2a520862bf09ad11e70344426fb980cbf8ed745e8fef31' '74a030f0fb48e97470d59d767039e44d28cbd6c4722621207684220210b8fa65' '0b28125099ffdd6869c6fbcb3167e93ccd71a0c6e465b1b62c7dedf9f628dd4e' 'e56f601bcdf0d64bf98813cd4a1be323541e33921c7d4f350168f62b56e66d11' '2096272445c736ba05529af628cc2d46d0236c8f1ecbd50bb1db6dc6c4a972c5') +prepare() { + cd atftp-$pkgver + + patch -Np1 < ../0001-Fix-for-DoS-issue-CVE-2020-6097.patch +} + build() { cd atftp-$pkgver
