Bug#980938: marked as done (buster-pu: package atftp/0.7.git20120829-3.2~deb10u1)

[Debian Bug Tracking System]

Your message dated Sat, 06 Feb 2021 10:39:26 +0000
with message-id 
<6425525e38201ecf9a2d3e0f1e63c0d3b08e0fc0.ca...@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 10.8
has caused the Debian Bug report #980938,
regarding buster-pu: package atftp/0.7.git20120829-3.2~deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
980938: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980938
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: car...@debian.org

Hi SRM

The 0.7.git20120829-3.2 to unstable fixed CVE-2020-6097 for atftp. I
propose to address the same (no-dsa marked) issue as well for buster
in an upcoming point release.

Attached is the proposed debdiff. Since there were no other changes
apart the fix to between buster and bullseye, I choosed to make it a
'rebuild for buster' version instead of 0.7.git20120829-3.1+deb10u1.

Regards,
Salvatore

diff -u atftp-0.7.git20120829/debian/changelog 
atftp-0.7.git20120829/debian/changelog
--- atftp-0.7.git20120829/debian/changelog
+++ atftp-0.7.git20120829/debian/changelog
@@ -1,3 +1,17 @@
+atftp (0.7.git20120829-3.2~deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for buster.
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sun, 24 Jan 2021 17:22:14 +0100
+
+atftp (0.7.git20120829-3.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix for DoS issue CVE-2020-6097 (Closes: #970066)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sun, 27 Dec 2020 21:28:40 +0100
+
 atftp (0.7.git20120829-3.1) unstable; urgency=high
 
   * Non-maintainer upload.
diff -u atftp-0.7.git20120829/tftp_def.c atftp-0.7.git20120829/tftp_def.c
--- atftp-0.7.git20120829/tftp_def.c
+++ atftp-0.7.git20120829/tftp_def.c
@@ -180,6 +180,15 @@
      return OK;
 }
 
+int
+sockaddr_family_supported(const struct sockaddr_storage *ss)
+{
+     if (ss->ss_family == AF_INET || ss->ss_family == AF_INET6)
+          return 1;
+     else
+          return 0;
+}
+
 char *
 sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len)
 {
@@ -189,7 +198,7 @@
      else if (ss->ss_family == AF_INET6)
           addr = &((const struct sockaddr_in6 *)ss)->sin6_addr;
      else
-          assert(!"sockaddr_print: unsupported address family");
+          return "sockaddr_print: unsupported address family";
      return (char *)inet_ntop(ss->ss_family, addr, buf, len);
 }
 
diff -u atftp-0.7.git20120829/tftp_def.h atftp-0.7.git20120829/tftp_def.h
--- atftp-0.7.git20120829/tftp_def.h
+++ atftp-0.7.git20120829/tftp_def.h
@@ -54,6 +54,7 @@
 inline char *Strncpy(char *to, const char *from, size_t size);
 int Gethostbyname(char *addr, struct hostent *host);
 
+int sockaddr_family_supported(const struct sockaddr_storage *ss);
 char *sockaddr_print_addr(const struct sockaddr_storage *, char *, size_t);
 #define SOCKADDR_PRINT_ADDR_LEN INET6_ADDRSTRLEN
 uint16_t sockaddr_get_port(const struct sockaddr_storage *);
diff -u atftp-0.7.git20120829/tftpd.c atftp-0.7.git20120829/tftpd.c
--- atftp-0.7.git20120829/tftpd.c
+++ atftp-0.7.git20120829/tftpd.c
@@ -644,6 +644,11 @@
      }
 
 #ifdef HAVE_WRAP
+     if (!abort && !sockaddr_family_supported(&data->client_info->client))
+     {
+          logger(LOG_ERR, "Connection from unsupported network address family 
refused");
+          abort = 1;
+     }
      if (!abort)
      {
           /* Verify the client has access. We don't look for the name but
diff -u atftp-0.7.git20120829/tftpd_mtftp.c atftp-0.7.git20120829/tftpd_mtftp.c
--- atftp-0.7.git20120829/tftpd_mtftp.c
+++ atftp-0.7.git20120829/tftpd_mtftp.c
@@ -393,6 +393,11 @@
                                         &data_size, data->data_buffer);
 
 #ifdef HAVE_WRAP
+               if (!sockaddr_family_supported(&sa))
+               {
+                    logger(LOG_ERR, "mtftp: Connection from unsupported 
network address family refused");
+                    continue;
+               }
                /* Verify the client has access. We don't look for the name but
                   rely only on the IP address for that. */
                sockaddr_print_addr(&sa, addr_str, sizeof(addr_str));

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 10.8

Hi,

Each of the updates referenced by these bugs was included in today's
10.8 point release.

Regards,

Adam

--- End Message ---