commit: fb0a9a8269b01b991bb14c1382058d84de966ea2 Author: Tobias Klausmann <klausman <AT> gentoo <DOT> org> AuthorDate: Tue Jan 12 11:54:22 2021 +0000 Commit: Tobias Klausmann <klausman <AT> gentoo <DOT> org> CommitDate: Tue Jan 12 11:55:58 2021 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fb0a9a82
net-ftp/atftp: Add -r addressing CVE 2020-6097 Patch sourced from: https://sourceforge.net/u/peterkaestle/atftp/ci/96409ef3b9ca061f9527cfaafa778105cf15d994/ Bug: https://bugs.gentoo.org/741566 Signed-off-by: Tobias Klausmann <klausman <AT> gentoo.org> net-ftp/atftp/atftp-0.7.2-r2.ebuild | 68 ++++++++++++++++ .../atftp/files/atftp-0.7.2-cve-2020-6097.patch | 92 ++++++++++++++++++++++ 2 files changed, 160 insertions(+) diff --git a/net-ftp/atftp/atftp-0.7.2-r2.ebuild b/net-ftp/atftp/atftp-0.7.2-r2.ebuild new file mode 100644 index 00000000000..28a0da5d668 --- /dev/null +++ b/net-ftp/atftp/atftp-0.7.2-r2.ebuild @@ -0,0 +1,68 @@ +# Copyright 2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 +inherit autotools flag-o-matic systemd + +DESCRIPTION="Advanced TFTP implementation client/server" +HOMEPAGE="https://sourceforge.net/projects/atftp/"; +SRC_URI="mirror://sourceforge/atftp/${P}.tar.gz" + +LICENSE="GPL-2+" +SLOT="0" +KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~s390 ~sparc ~x86" +IUSE="selinux tcpd readline pcre" + +DEPEND="tcpd? ( sys-apps/tcp-wrappers ) + readline? ( sys-libs/readline:0= ) + pcre? ( dev-libs/libpcre )" +RDEPEND="${DEPEND} + !net-ftp/tftp-hpa + !net-ftp/uftpd + selinux? ( sec-policy/selinux-tftp )" +BDEPEND="" + +PATCHES=( + "${FILESDIR}/${P}-CFLAGS.patch" + "${FILESDIR}/${P}-cve-2020-6097.patch" +) + +src_prepare() { + append-cppflags -D_REENTRANT -DRATE_CONTROL + # fix #561720 by restoring pre-GCC5 inline semantics + append-cflags -std=gnu89 + + default + eautoreconf +} + +src_configure() { + econf \ + $(use_enable tcpd libwrap) \ + $(use_enable readline libreadline) \ + $(use_enable pcre libpcre) \ + --enable-mtftp +} + +src_test() { + cd "${S}"/test || die + # Try to run the tests + ./test.sh || die +} + +src_install() { + default + + newinitd "${FILESDIR}"/atftp.init atftp + newconfd "${FILESDIR}"/atftp.confd atftp + + systemd_dounit "${FILESDIR}"/atftp.service + systemd_install_serviced "${FILESDIR}"/atftp.service.conf + + dodoc README* BUGS FAQ Changelog INSTALL TODO + dodoc "${S}"/docs/* + + docinto test + cd "${S}"/test || die + dodoc load.sh mtftp.conf pcre_pattern.txt test.sh test_suite.txt +} diff --git a/net-ftp/atftp/files/atftp-0.7.2-cve-2020-6097.patch b/net-ftp/atftp/files/atftp-0.7.2-cve-2020-6097.patch new file mode 100644 index 00000000000..5130d008643 --- /dev/null +++ b/net-ftp/atftp/files/atftp-0.7.2-cve-2020-6097.patch @@ -0,0 +1,92 @@ +commit 96409ef3b9ca061f9527cfaafa778105cf15d994 +Author: Peter Kaestle <peter.kaes...@nokia.com> +Date: Wed Oct 14 14:02:41 2020 +0200 + + Fix for DoS issue CVE-2020-6097 + + "sockaddr_print_addr" of tftpd can be triggered remotely to call + assert(), which will crash the tftpd daemon. See: + https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029 + + "sockaddr_print_addr" originaly had two features: + 1) returning pointer to string of the incoming ip address + 2) checking whether ss_family of the connection is supported + + To fix the issue, a separate function "sockaddr_family_supported" is + used to take care of 2) and "sockaddr_print_addr" returns an error + message string for unsupported cases when using 1) insert of calling + assert(). + +diff --git a/tftp_def.c b/tftp_def.c +index d457c2a..428a930 100644 +--- a/tftp_def.c ++++ b/tftp_def.c +@@ -180,6 +180,15 @@ int Gethostbyname(char *addr, struct hostent *host) + return OK; + } + ++int ++sockaddr_family_supported(const struct sockaddr_storage *ss) ++{ ++ if (ss->ss_family == AF_INET || ss->ss_family == AF_INET6) ++ return 1; ++ else ++ return 0; ++} ++ + char * + sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len) + { +@@ -189,7 +198,7 @@ sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len) + else if (ss->ss_family == AF_INET6) + addr = &((const struct sockaddr_in6 *)ss)->sin6_addr; + else +- assert(!"sockaddr_print: unsupported address family"); ++ return "sockaddr_print: unsupported address family"; + return (char *)inet_ntop(ss->ss_family, addr, buf, len); + } + +diff --git a/tftp_def.h b/tftp_def.h +index 0841746..458e310 100644 +--- a/tftp_def.h ++++ b/tftp_def.h +@@ -54,6 +54,7 @@ int print_eng(double value, char *string, int size, char *format); + inline char *Strncpy(char *to, const char *from, size_t size); + int Gethostbyname(char *addr, struct hostent *host); + ++int sockaddr_family_supported(const struct sockaddr_storage *ss); + char *sockaddr_print_addr(const struct sockaddr_storage *, char *, size_t); + #define SOCKADDR_PRINT_ADDR_LEN INET6_ADDRSTRLEN + uint16_t sockaddr_get_port(const struct sockaddr_storage *); +diff --git a/tftpd.c b/tftpd.c +index 0b6f6a5..a7561a5 100644 +--- a/tftpd.c ++++ b/tftpd.c +@@ -644,6 +644,11 @@ void *tftpd_receive_request(void *arg) + } + + #ifdef HAVE_WRAP ++ if (!abort && !sockaddr_family_supported(&data->client_info->client)) ++ { ++ logger(LOG_ERR, "Connection from unsupported network address family refused"); ++ abort = 1; ++ } + if (!abort) + { + /* Verify the client has access. We don't look for the name but +diff --git a/tftpd_mtftp.c b/tftpd_mtftp.c +index d420d10..0032905 100644 +--- a/tftpd_mtftp.c ++++ b/tftpd_mtftp.c +@@ -393,6 +393,11 @@ void *tftpd_mtftp_server(void *arg) + &data_size, data->data_buffer); + + #ifdef HAVE_WRAP ++ if (!sockaddr_family_supported(&sa)) ++ { ++ logger(LOG_ERR, "mtftp: Connection from unsupported network address family refused"); ++ continue; ++ } + /* Verify the client has access. We don't look for the name but + rely only on the IP address for that. */ + sockaddr_print_addr(&sa, addr_str, sizeof(addr_str));
