Hello community, here is the log from the commit of package atftp for openSUSE:Factory checked in at 2020-10-29 09:21:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/atftp (Old) and /work/SRC/openSUSE:Factory/.atftp.new.3463 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "atftp" Thu Oct 29 09:21:34 2020 rev:38 rq:843929 version:0.7.2 Changes: -------- --- /work/SRC/openSUSE:Factory/atftp/atftp.changes 2020-06-04 17:49:08.455658537 +0200 +++ /work/SRC/openSUSE:Factory/.atftp.new.3463/atftp.changes 2020-10-29 09:21:37.182648260 +0100 @@ -1,0 +2,8 @@ +Wed Oct 21 18:19:51 UTC 2020 - Pedro Monreal <[email protected]> + +- Security fix: [bsc#1176437, CVE-2020-6097] + * A specially crafted sequence of RRQ-Multicast requests can + trigger an assert() call resulting denial-of-service. +- Add atftp-CVE-2020-6097.patch + +------------------------------------------------------------------- New: ---- atftp-CVE-2020-6097.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ atftp.spec ++++++ --- /var/tmp/diff_new_pack.Zxlzcy/_old 2020-10-29 09:21:37.878648927 +0100 +++ /var/tmp/diff_new_pack.Zxlzcy/_new 2020-10-29 09:21:37.882648931 +0100 @@ -44,6 +44,8 @@ # PATCH-FIX-SUSE update default directory in man (bnc#507011) Patch5: atftp-0.7-default_dir_man.patch Patch6: atftp-drop_privileges_non-daemon.patch +# PATCH-FIX-UPSTREAM bsc#1176437 CVE-2020-6097 Fix for DoS issue +Patch7: atftp-CVE-2020-6097.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: pcre-devel @@ -76,6 +78,7 @@ %patch4 %patch5 %patch6 -p1 +%patch7 -p1 %build autoreconf -fi ++++++ atftp-CVE-2020-6097.patch ++++++ >From 96409ef3b9ca061f9527cfaafa778105cf15d994 Mon Sep 17 00:00:00 2001 From: Peter Kaestle <[email protected]> Date: Wed, 14 Oct 2020 14:02:41 +0200 Subject: [PATCH] Fix for DoS issue CVE-2020-6097 "sockaddr_print_addr" of tftpd can be triggered remotely to call assert(), which will crash the tftpd daemon. See: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029 "sockaddr_print_addr" originaly had two features: 1) returning pointer to string of the incoming ip address 2) checking whether ss_family of the connection is supported To fix the issue, a separate function "sockaddr_family_supported" is used to take care of 2) and "sockaddr_print_addr" returns an error message string for unsupported cases when using 1) insert of calling assert(). --- tftp_def.c | 11 ++++++++++- tftp_def.h | 1 + tftpd.c | 5 +++++ tftpd_mtftp.c | 5 +++++ 4 files changed, 21 insertions(+), 1 deletion(-) diff --git a/tftp_def.c b/tftp_def.c index d457c2a..428a930 100644 --- a/tftp_def.c +++ b/tftp_def.c @@ -180,6 +180,15 @@ int Gethostbyname(char *addr, struct hostent *host) return OK; } +int +sockaddr_family_supported(const struct sockaddr_storage *ss) +{ + if (ss->ss_family == AF_INET || ss->ss_family == AF_INET6) + return 1; + else + return 0; +} + char * sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len) { @@ -189,7 +198,7 @@ sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len) else if (ss->ss_family == AF_INET6) addr = &((const struct sockaddr_in6 *)ss)->sin6_addr; else - assert(!"sockaddr_print: unsupported address family"); + return "sockaddr_print: unsupported address family"; return (char *)inet_ntop(ss->ss_family, addr, buf, len); } diff --git a/tftp_def.h b/tftp_def.h index 0841746..458e310 100644 --- a/tftp_def.h +++ b/tftp_def.h @@ -54,6 +54,7 @@ int print_eng(double value, char *string, int size, char *format); inline char *Strncpy(char *to, const char *from, size_t size); int Gethostbyname(char *addr, struct hostent *host); +int sockaddr_family_supported(const struct sockaddr_storage *ss); char *sockaddr_print_addr(const struct sockaddr_storage *, char *, size_t); #define SOCKADDR_PRINT_ADDR_LEN INET6_ADDRSTRLEN uint16_t sockaddr_get_port(const struct sockaddr_storage *); diff --git a/tftpd.c b/tftpd.c index 0b6f6a5..a7561a5 100644 --- a/tftpd.c +++ b/tftpd.c @@ -644,6 +644,11 @@ void *tftpd_receive_request(void *arg) } #ifdef HAVE_WRAP + if (!abort && !sockaddr_family_supported(&data->client_info->client)) + { + logger(LOG_ERR, "Connection from unsupported network address family refused"); + abort = 1; + } if (!abort) { /* Verify the client has access. We don't look for the name but diff --git a/tftpd_mtftp.c b/tftpd_mtftp.c index d420d10..0032905 100644 --- a/tftpd_mtftp.c +++ b/tftpd_mtftp.c @@ -393,6 +393,11 @@ void *tftpd_mtftp_server(void *arg) &data_size, data->data_buffer); #ifdef HAVE_WRAP + if (!sockaddr_family_supported(&sa)) + { + logger(LOG_ERR, "mtftp: Connection from unsupported network address family refused"); + continue; + } /* Verify the client has access. We don't look for the name but rely only on the IP address for that. */ sockaddr_print_addr(&sa, addr_str, sizeof(addr_str)); -- 2.28.0
