[bug #68140] [SECURITY][BUG][freeipmi-1.6.16] Stack buffer overflow in ipmi_oem_supermicro_extra_firmware_info

Tue, 10 Mar 2026 20:40:51 -0700 

URL:
  <https://savannah.gnu.org/bugs/?68140>

                 Summary: [SECURITY][BUG][freeipmi-1.6.16] Stack buffer
overflow in ipmi_oem_supermicro_extra_firmware_info
                   Group: GNU FreeIPMI
               Submitter: chnzzh
               Submitted: Wed 11 Mar 2026 03:40:13 AM UTC
                Category: ipmi-oem
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: Crash
                  Status: None
                 Privacy: Private
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Unlocked
        Operating System: None


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Wed 11 Mar 2026 03:40:13 AM UTC By: Zhihan Zheng <chnzzh>
Hello FreeIPMI developers,

I am reporting a stack-based buffer overflow vulnerability in FreeIPMI
1.6.16.

## Vulnerability Summary
- Component: ipmi-oem
- Function: ipmi_oem_supermicro_extra_firmware_info
- Type: stack-based out-of-bounds write
- CWE: CWE-121, CWE-787

## Affected Scope
- Upstream: freeipmi-1.6.16
- Also reproduced on apt-installed system package build:
  - package: freeipmi-tools 1.6.13-3
  - binary: /usr/sbin/ipmi-oem (some systems use /usr/bin/ipmi-oem)

## Reproduction
A self-contained reproduction package is attached (4 files):
- advisory.md  — detailed write-up
- build.sh     — builds freeipmi-1.6.16 with ASAN
- poc_run.sh       — starts PoC server and drives the vulnerable code path
- poc_server.py    — minimal IPMI response server that sends the crafted
payload

Expected outcomes:
1. Source/ASAN path (`./build.sh && ./run.sh`): AddressSanitizer reports
stack-buffer-overflow.
2. apt binary path (`/usr/sbin/ipmi-oem ... supermicro extra-firmware-info`
against same server): `*** buffer overflow detected ***`, abnormal exit
(`rc=134` in my run).

Please confirm receipt. I am happy to coordinate on a CVE assignment and patch
timeline.

Report date: 2026-03-11

Best regards,
Zhihan Zheng






    _______________________________________________________
File Attachments:

Name: poc_server.py                  Size: 4.5KiB
Name: build.sh                       Size: 424B
Name: poc_run.sh                     Size: 867B
Name: advisory.md                    Size: 2.0KiB

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?68140>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

Attachment: signature.asc
Description: PGP signature

Reply via email to