Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package iputils for openSUSE:Factory checked in at 2025-05-15 16:59:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/iputils (Old) and /work/SRC/openSUSE:Factory/.iputils.new.30101 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "iputils" Thu May 15 16:59:15 2025 rev:72 rq:1277017 version:20240905 Changes: -------- --- /work/SRC/openSUSE:Factory/iputils/iputils.changes 2025-01-06 16:05:19.062012422 +0100 +++ /work/SRC/openSUSE:Factory/.iputils.new.30101/iputils.changes 2025-05-15 16:59:20.933098405 +0200 @@ -1,0 +2,7 @@ +Mon May 12 15:38:14 UTC 2025 - Angel Yankov <angel.yan...@suse.com> + +- Security fix [bsc#1242300, CVE-2025-47268] + * integer overflow in RTT calculation can lead to undefined behavior + * Add iputils-CVE-2025-47268.patch + +------------------------------------------------------------------- New: ---- iputils-CVE-2025-47268.patch BETA DEBUG BEGIN: New: * integer overflow in RTT calculation can lead to undefined behavior * Add iputils-CVE-2025-47268.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ iputils.spec ++++++ --- /var/tmp/diff_new_pack.aA0CWi/_old 2025-05-15 16:59:21.569125087 +0200 +++ /var/tmp/diff_new_pack.aA0CWi/_new 2025-05-15 16:59:21.569125087 +0200 @@ -25,6 +25,8 @@ URL: https://github.com/iputils/iputils Source0: https://github.com/iputils/iputils/releases/download/%{version}/iputils-%{version}.tar.xz Patch0: 0001-Fix-ping-man-page-syntax-error.patch +# PATCH-FIX-UPSTREAM: bcs#1242300 CVE-2025-47268 integer overflow in RTT calculation can lead to undefined behavior +Patch1: iputils-CVE-2025-47268.patch BuildRequires: docbook5-xsl-stylesheets BuildRequires: docbook_5 BuildRequires: iproute2 ++++++ iputils-CVE-2025-47268.patch ++++++ >From 070cfacd7348386173231fb16fad4983d4e6ae40 Mon Sep 17 00:00:00 2001 From: Petr Vorel <pvo...@suse.cz> Date: Mon, 5 May 2025 23:55:57 +0200 Subject: [PATCH] ping: Fix signed 64-bit integer overflow in RTT calculation Crafted ICMP Echo Reply packet can cause signed integer overflow in 1) triptime calculation: triptime = tv->tv_sec * 1000000 + tv->tv_usec; 2) tsum2 increment which uses triptime rts->tsum2 += (double)((long long)triptime * (long long)triptime); 3) final tmvar: tmvar = (rts->tsum2 / total) - (tmavg * tmavg) $ export CFLAGS="-O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer" $ export LDFLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer" $ meson setup .. -Db_sanitize=address,undefined $ ninja $ ./ping/ping -c2 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.061 ms ../ping/ping_common.c:757:25: runtime error: signed integer overflow: -2513732689199106 * 1000000 cannot be represented in type 'long int' ../ping/ping_common.c:757:12: runtime error: signed integer overflow: -4975495174606980224 + -6510615555425289427 cannot be represented in type 'long int' ../ping/ping_common.c:769:47: runtime error: signed integer overflow: 6960633343677281965 * 6960633343677281965 cannot be represented in type 'long int' 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated) ./ping/ping: Warning: time of day goes back (-7256972569576721377us), taking countermeasures ./ping/ping: Warning: time of day goes back (-7256972569576721232us), taking countermeasures 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated) ../ping/ping_common.c:265:16: runtime error: signed integer overflow: 6960633343677281965 * 2 cannot be represented in type 'long int' 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.565 ms --- 127.0.0.1 ping statistics --- 2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 1002ms ../ping/ping_common.c:940:42: runtime error: signed integer overflow: 1740158335919320832 * 1740158335919320832 cannot be represented in type 'long int' rtt min/avg/max/mdev = 0.000/1740158335919320.832/6960633343677281.965/-1623514645242292.-224 ms To fix the overflow check allowed ranges of struct timeval members: * tv_sec <0, LONG_MAX/1000000> * tv_usec <0, 999999> Fix includes 2 new error messages (needs translation). Also existing message "time of day goes back ..." needed to be modified as it now prints tv->tv_sec which is a second (needs translation update). After fix: $ ./ping/ping -c2 127.0.0.1 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.057 ms ./ping/ping: Warning: invalid tv_usec -6510615555424928611 us ./ping/ping: Warning: time of day goes back (-3985394643238914 s), taking countermeasures ./ping/ping: Warning: invalid tv_usec -6510615555424928461 us ./ping/ping: Warning: time of day goes back (-3985394643238914 s), taking countermeasures 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated) ./ping/ping: Warning: invalid tv_usec -6510615555425884541 us ./ping/ping: Warning: time of day goes back (-4243165695442945 s), taking countermeasures 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated) 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.111 ms --- 127.0.0.1 ping statistics --- 2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 101ms rtt min/avg/max/mdev = 0.000/0.042/0.111/0.046 ms Fixes: https://github.com/iputils/iputils/issues/584 Fixes: CVE-2025-472 Link: https://github.com/Zephkek/ping-rtt-overflow/ Co-developed-by: Cyril Hrubis <chru...@suse.cz> Reported-by: Mohamed Maatallah <hotelsmaatallahrecem...@gmail.com> Reviewed-by: Mohamed Maatallah <hotelsmaatallahrecem...@gmail.com> Reviewed-by: Cyril Hrubis <chru...@suse.cz> Reviewed-by: Noah Meyerhans <no...@debian.org> Signed-off-by: Petr Vorel <pvo...@suse.cz> --- iputils_common.h | 3 +++ ping/ping_common.c | 22 +++++++++++++++++++--- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/iputils_common.h b/iputils_common.h index 49e790d8..829a7499 100644 --- a/iputils_common.h +++ b/iputils_common.h @@ -10,6 +10,9 @@ !!__builtin_types_compatible_p(__typeof__(arr), \ __typeof__(&arr[0]))])) * 0) +/* 1000001 = 1000000 tv_sec + 1 tv_usec */ +#define TV_SEC_MAX_VAL (LONG_MAX/1000001) + #ifdef __GNUC__ # define iputils_attribute_format(t, n, m) __attribute__((__format__ (t, n, m))) #else diff --git a/ping/ping_common.c b/ping/ping_common.c index dadd2a4e..4e99d89a 100644 --- a/ping/ping_common.c +++ b/ping/ping_common.c @@ -754,16 +754,32 @@ int gather_statistics(struct ping_rts *rts, uint8_t *icmph, int icmplen, restamp: tvsub(tv, &tmp_tv); - triptime = tv->tv_sec * 1000000 + tv->tv_usec; - if (triptime < 0) { - error(0, 0, _("Warning: time of day goes back (%ldus), taking countermeasures"), triptime); + + if (tv->tv_usec >= 1000000) { + error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec); + tv->tv_usec = 999999; + } + + if (tv->tv_usec < 0) { + error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec); + tv->tv_usec = 0; + } + + if (tv->tv_sec > TV_SEC_MAX_VAL) { + error(0, 0, _("Warning: invalid tv_sec %ld s"), tv->tv_sec); + triptime = 0; + } else if (tv->tv_sec < 0) { + error(0, 0, _("Warning: time of day goes back (%ld s), taking countermeasures"), tv->tv_sec); triptime = 0; if (!rts->opt_latency) { gettimeofday(tv, NULL); rts->opt_latency = 1; goto restamp; } + } else { + triptime = tv->tv_sec * 1000000 + tv->tv_usec; } + if (!csfailed) { rts->tsum += triptime; rts->tsum2 += (double)((long long)triptime * (long long)triptime);
