Control: tags 927553 + pending Dear maintainer,
I've prepared an NMU for atftp (versioned as 0.7.git20120829-3.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -u atftp-0.7.git20120829/debian/changelog atftp-0.7.git20120829/debian/changelog --- atftp-0.7.git20120829/debian/changelog +++ atftp-0.7.git20120829/debian/changelog @@ -1,3 +1,11 @@ +atftp (0.7.git20120829-3.1) unstable; urgency=high + + * Non-maintainer upload. + * Fix concurrency issue denial of service (CVE-2019-11366) (Closes: #927553) + * Fix error handler stack overflow (CVE-2019-11365) (Closes: #927553) + + -- Salvatore Bonaccorso <car...@debian.org> Mon, 29 Apr 2019 19:37:52 +0200 + atftp (0.7.git20120829-3) unstable; urgency=medium * Ack previous NMU diff -u atftp-0.7.git20120829/tftpd_file.c atftp-0.7.git20120829/tftpd_file.c --- atftp-0.7.git20120829/tftpd_file.c +++ atftp-0.7.git20120829/tftpd_file.c @@ -304,9 +304,7 @@ else logger(LOG_WARNING, "source port mismatch, check bypassed"); } - Strncpy(string, tftphdr->th_msg, - (((data_size - 4) > MAXLEN) ? MAXLEN : - (data_size - 4))); + Strncpy(string, tftphdr->th_msg, sizeof(string)); if (data->trace) logger(LOG_DEBUG, "received ERROR <code: %d, msg: %s>", ntohs(tftphdr->th_code), string); @@ -954,9 +952,7 @@ } } /* Got an ERROR from the current master client */ - Strncpy(string, tftphdr->th_msg, - (((data_size - 4) > MAXLEN) ? MAXLEN : - (data_size - 4))); + Strncpy(string, tftphdr->th_msg, sizeof(string)); if (data->trace) logger(LOG_DEBUG, "received ERROR <code: %d, msg: %s>", ntohs(tftphdr->th_code), string); diff -u atftp-0.7.git20120829/tftpd_list.c atftp-0.7.git20120829/tftpd_list.c --- atftp-0.7.git20120829/tftpd_list.c +++ atftp-0.7.git20120829/tftpd_list.c @@ -49,11 +49,11 @@ */ int tftpd_list_add(struct thread_data *new) { + pthread_mutex_lock(&thread_list_mutex); + struct thread_data *current = thread_data; int ret; - pthread_mutex_lock(&thread_list_mutex); - number_of_thread++; ret = number_of_thread; @@ -81,11 +81,11 @@ */ int tftpd_list_remove(struct thread_data *old) { + pthread_mutex_lock(&thread_list_mutex); + struct thread_data *current = thread_data; int ret; - pthread_mutex_lock(&thread_list_mutex); - number_of_thread--; ret = number_of_thread; @@ -137,6 +137,9 @@ struct thread_data *data, struct client_info *client) { + /* lock the whole list before walking it */ + pthread_mutex_lock(&thread_list_mutex); + struct thread_data *current = thread_data; /* head of the list */ struct tftp_opt *tftp_options = data->tftp_options; struct client_info *tmp; @@ -152,7 +155,4 @@ len = (int)((unsigned long)index - (unsigned long)options); - /* lock the whole list before walking it */ - pthread_mutex_lock(&thread_list_mutex); - while (current) { @@ -214,9 +214,9 @@ void tftpd_clientlist_remove(struct thread_data *thread, struct client_info *client) { + pthread_mutex_lock(&thread->client_mutex); struct client_info *tmp = thread->client_info; - pthread_mutex_lock(&thread->client_mutex); while ((tmp->next != client) && (tmp->next != NULL)) tmp = tmp->next; if (tmp->next == NULL) @@ -230,10 +230,11 @@ */ void tftpd_clientlist_free(struct thread_data *thread) { + pthread_mutex_lock(&thread->client_mutex); + struct client_info *tmp; struct client_info *head = thread->client_info; - pthread_mutex_lock(&thread->client_mutex); while (head) { tmp = head; @@ -250,10 +251,10 @@ struct client_info *client, struct sockaddr_storage *sock) { - struct client_info *head = thread->client_info; - pthread_mutex_lock(&thread->client_mutex); + struct client_info *head = thread->client_info; + if (client) { client->done = 1; @@ -334,10 +335,9 @@ void tftpd_list_kill_threads(void) { - struct thread_data *current = thread_data; /* head of list */ - pthread_mutex_lock(&thread_list_mutex); + struct thread_data *current = thread_data; /* head of list */ while (current != NULL) { diff -u atftp-0.7.git20120829/tftpd_mtftp.c atftp-0.7.git20120829/tftpd_mtftp.c --- atftp-0.7.git20120829/tftpd_mtftp.c +++ atftp-0.7.git20120829/tftpd_mtftp.c @@ -635,9 +635,7 @@ if (sockaddr_equal(sa, &from)) { /* Got an ERROR from the current master client */ - Strncpy(string, tftphdr->th_msg, - (((data_size - 4) > MAXLEN) ? MAXLEN : - (data_size - 4))); + Strncpy(string, tftphdr->th_msg, sizeof(string)); if (data->mtftp_data->trace) logger(LOG_DEBUG, "received ERROR <code: %d, msg: %s>", ntohs(tftphdr->th_code), string);