Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org
Hi,
I would like to ask for permission to upload a new atftpd
package 0.7.git20120829-3.3+deb11u1 to fix #994895, buffer
overflow, CVE-2021-41054.
[ Reason ]
Fix a CVE (no DSA)
[ Impact ]
atftpd can be crashed by sending a crafted, but trivial request.
[ Tests ]
I manually tested that the buffer overflow happens in the current
package and is fixed in the new package.
[ Risks ]
very small
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
The patch checks the length of the options of the request and
throws an error if the buffer is too small.
diff -u atftp-0.7.git20120829/debian/changelog
atftp-0.7.git20120829/debian/changelog
--- atftp-0.7.git20120829/debian/changelog
+++ atftp-0.7.git20120829/debian/changelog
@@ -1,3 +1,9 @@
+atftp (0.7.git20120829-3.3+deb11u1) bullseye; urgency=medium
+
+ * Fix for CVE-2021-41054 (Closes: #994895)
+
+ -- Andreas B. Mundt Wed, 22 Sep 2021 21:15:01 +0200
+
atftp (0.7.git20120829-3.3) unstable; urgency=medium
* Non-maintainer upload.
diff -u atftp-0.7.git20120829/tftpd_file.c atftp-0.7.git20120829/tftpd_file.c
--- atftp-0.7.git20120829/tftpd_file.c
+++ atftp-0.7.git20120829/tftpd_file.c
@@ -183,8 +183,17 @@
/* blksize options */
if ((result = opt_get_blksize(data->tftp_options)) > -1)
{
- if ((result < 8) || (result > 65464))
+ /*
+ * If we receive more options, we have to make sure our buffer for
+ * the OACK is not too small. Use the string representation of
+ * the options here for simplicity, which puts us on the save side.
+ * FIXME: Use independent buffers for OACK and data.
+ */
+ opt_options_to_string(data->tftp_options, string, MAXLEN);
+ if ((result < strlen(string)-2) || (result > 65464))
{
+ logger(LOG_NOTICE, "options <%s> require roughly a blksize of
%d for the OACK.",
+ string, strlen(string)-2);
tftp_send_error(sockfd, sa, EOPTNEG, data->data_buffer,
data->data_buffer_size);
if (data->trace)
logger(LOG_DEBUG, "sent ERROR ",
EOPTNEG,
@@ -530,8 +539,17 @@
/* blksize options */
if ((result = opt_get_blksize(data->tftp_options)) > -1)
{
- if ((result < 8) || (result > 65464))
+ /*
+ * If we receive more options, we have to make sure our buffer for
+ * the OACK is not too small. Use the string representation of
+ * the options here for simplicity, which puts us on the save side.
+ * FIXME: Use independent buffers for OACK and data.
+ */
+ opt_options_to_string(data->tftp_options, string, MAXLEN);
+ if ((result < strlen(string)-2) || (result > 65464))
{
+ logger(LOG_NOTICE, "options <%s> require roughly a blksize of
%d for the OACK.",
+ string, strlen(string)-2);
tftp_send_error(sockfd, sa, EOPTNEG, data->data_buffer,
data->data_buffer_size);
if (data->trace)
logger(LOG_DEBUG, "sent ERROR ",
EOPTNEG,
