Re: buffer overflow vulnerability in netmask 2.3.12
On 2019-02-06 21:52:35, Guilhem Moulin wrote: > Hi anarcat, > > On Wed, 06 Feb 2019 at 14:13:23 -0500, Antoine Beaupré wrote: >> 4. issue a DLA when the package is accepted > > I wouldn't mind if you or another LTS team member were talking care of > this one :-) Alright, DLA coming right up! :) A. -- We should act only in such away that if everyone else acted as we do, we would accept the results. - Emmanuel Kant
Re: buffer overflow vulnerability in netmask 2.3.12
Hi anarcat, On Wed, 06 Feb 2019 at 14:13:23 -0500, Antoine Beaupré wrote: > On 2019-02-06 01:59:58, Guilhem Moulin wrote: >> * Upstream hasn't yet filed a CVE for this issue; I forwarded jmm's >> instructions regarding this. > > Sorry, forwarded where? Did I miss something? Ah sorry, that's indeed rather unclear. I told the Security Team I was unsure what the next steps were, since up to now CVEs on the packages I maintain have always been assigned either by a security team member or by upstream itself. Moritz suggested that upstream files this CVE themselves and provided a link to an online form, which I forwarded (privately) to upstream :-) > 1. open a bug report in the BTS Was about to do that, but (as often) carnil was faster ;-) > 2. mention it in the changelog > 3. upload the package to security-master Done, and new debdiff attached. > 4. issue a DLA when the package is accepted I wouldn't mind if you or another LTS team member were talking care of this one :-) Thanks! -- Guilhem. diff -Nru netmask-2.3.12/debian/changelog netmask-2.3.12+deb8u1/debian/changelog --- netmask-2.3.12/debian/changelog 2010-04-26 04:29:39.0 +0200 +++ netmask-2.3.12+deb8u1/debian/changelog 2019-02-06 01:08:09.0 +0100 @@ -1,3 +1,10 @@ +netmask (2.3.12+deb8u1) jessie-security; urgency=medium + + * Fix buffer overflow vulnerability. Closes: #921565. +https://github.com/tlby/netmask/issues/3 + + -- Guilhem Moulin Wed, 06 Feb 2019 01:08:09 +0100 + netmask (2.3.12) unstable; urgency=low * Include patches directly in source because it's a native package diff -Nru netmask-2.3.12/debian/control netmask-2.3.12+deb8u1/debian/control --- netmask-2.3.12/debian/control 2010-04-26 04:29:39.0 +0200 +++ netmask-2.3.12+deb8u1/debian/control2019-02-06 01:08:09.0 +0100 @@ -1,7 +1,7 @@ Source: netmask Section: net Priority: optional -Maintainer: Luis Uribe +Maintainer: Guilhem Moulin Build-Depends: debhelper (>= 5), texinfo Standards-Version: 3.8.4 diff -Nru netmask-2.3.12/errors.c netmask-2.3.12+deb8u1/errors.c --- netmask-2.3.12/errors.c 2010-04-26 04:29:39.0 +0200 +++ netmask-2.3.12+deb8u1/errors.c 2019-02-06 01:04:57.0 +0100 @@ -66,7 +66,7 @@ if(!show_status) return(0); va_start(args, fmt); -vsprintf(buf, fmt, args); +vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); return(message(LOG_DEBUG, buf)); } @@ -76,7 +76,7 @@ va_list args; va_start(args, fmt); -vsprintf(buf, fmt, args); +vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); return(message(LOG_WARNING, buf)); } @@ -86,7 +86,7 @@ va_list args; va_start(args, fmt); -vsprintf(buf, fmt, args); +vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); message(LOG_ERR, buf); exit(1); @@ -97,7 +97,7 @@ /* only handle errno if this is not an informational message */ if(errno && priority < 5) { - sprintf(buf, "%s: %s", msg, strerror(errno)); + snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(errno)); errno = 0; } else strcpy(buf, msg); if(use_syslog) syslog(priority, "%s", buf); signature.asc Description: PGP signature
Re: buffer overflow vulnerability in netmask 2.3.12
On 2019-02-06 01:59:58, Guilhem Moulin wrote: > Dear LTS team, Hi Guilhem! > A buffer overflow vulnerability was recently found in the netmask > package (a small utility that helps determining network masks): > > https://github.com/tlby/netmask/issues/3 > > The Security Team argued that the version in stretch (2.4.3-1) doesn't > warrant a DSA as the program is built with hardening options enabled > (thus turning the buffer overflow vulnerability into an harmless clash), > but that's not the case for the version in jessie (2.3.12), so I guess > it makes sense to upload a +deb8u1. Agreed. > I attach a debdiff with a trivial fix backported from 2.4.4, more > specifically the ‘errors.c’ part of > > > https://github.com/tlby/netmask/commit/29a9c239bd1008363f5b34ffd6c2cef906f3660c > > For convenience, you can also find the source package at > > dget -x https://people.debian.org/~guilhem/tmp/netmask_2.3.12+deb8u1.dsc > > Notes: > * I only started maintaining this package after jessie was frozen, but >the previous maintainer is no longer active and I thus took the >liberty to update the ‘Maintainer’ field in d/control accordingly. While this is usually a superfluous change, I think that in this case it makes sense so we know who to talk with the next time a problem happens (which will hopefully be never :). > * Before 2.4.2-1 the package was (incorrectly) native, so in this >jessie-security package I applied the fix directly to the upstream >source rather than going via a patch series. > * Upstream hasn't yet filed a CVE for this issue; I forwarded jmm's >instructions regarding this. Sorry, forwarded where? Did I miss something? Ideally, we would have at least one Debian-specific tracking number if we don't have a CVE. A bug in the BTS would do, for example. I'd be happy to do that administrativa if you wish. [...] The patch otherwise looks sound and should be uploaded. I believe the next step is to: 1. open a bug report in the BTS 2. mention it in the changelog 3. upload the package to security-master 4. issue a DLA when the package is accepted I'd be happy, like anyone else in the LTS team I'm sure, to take on any or all of those tasks, at your discretion. Cheers, A. -- Un éducateur dans l'âme ne prend rien au sérieux que par rapport à ses disciples -- soi-même non excepté. - Nietzsche, "Par delà le bien et le mal"
buffer overflow vulnerability in netmask 2.3.12
Dear LTS team, A buffer overflow vulnerability was recently found in the netmask package (a small utility that helps determining network masks): https://github.com/tlby/netmask/issues/3 The Security Team argued that the version in stretch (2.4.3-1) doesn't warrant a DSA as the program is built with hardening options enabled (thus turning the buffer overflow vulnerability into an harmless clash), but that's not the case for the version in jessie (2.3.12), so I guess it makes sense to upload a +deb8u1. I attach a debdiff with a trivial fix backported from 2.4.4, more specifically the ‘errors.c’ part of https://github.com/tlby/netmask/commit/29a9c239bd1008363f5b34ffd6c2cef906f3660c For convenience, you can also find the source package at dget -x https://people.debian.org/~guilhem/tmp/netmask_2.3.12+deb8u1.dsc Notes: * I only started maintaining this package after jessie was frozen, but the previous maintainer is no longer active and I thus took the liberty to update the ‘Maintainer’ field in d/control accordingly. * Before 2.4.2-1 the package was (incorrectly) native, so in this jessie-security package I applied the fix directly to the upstream source rather than going via a patch series. * Upstream hasn't yet filed a CVE for this issue; I forwarded jmm's instructions regarding this. Thanks! -- Guilhem. diff -Nru netmask-2.3.12/debian/changelog netmask-2.3.12+deb8u1/debian/changelog --- netmask-2.3.12/debian/changelog 2010-04-26 04:29:39.0 +0200 +++ netmask-2.3.12+deb8u1/debian/changelog 2019-02-06 01:08:09.0 +0100 @@ -1,3 +1,10 @@ +netmask (2.3.12+deb8u1) jessie-security; urgency=medium + + * Fix buffer overflow vulnerability +https://github.com/tlby/netmask/issues/3 + + -- Guilhem Moulin Wed, 06 Feb 2019 01:08:09 +0100 + netmask (2.3.12) unstable; urgency=low * Include patches directly in source because it's a native package diff -Nru netmask-2.3.12/debian/control netmask-2.3.12+deb8u1/debian/control --- netmask-2.3.12/debian/control 2010-04-26 04:29:39.0 +0200 +++ netmask-2.3.12+deb8u1/debian/control2019-02-06 01:08:09.0 +0100 @@ -1,7 +1,7 @@ Source: netmask Section: net Priority: optional -Maintainer: Luis Uribe +Maintainer: Guilhem Moulin Build-Depends: debhelper (>= 5), texinfo Standards-Version: 3.8.4 diff -Nru netmask-2.3.12/errors.c netmask-2.3.12+deb8u1/errors.c --- netmask-2.3.12/errors.c 2010-04-26 04:29:39.0 +0200 +++ netmask-2.3.12+deb8u1/errors.c 2019-02-06 01:04:57.0 +0100 @@ -66,7 +66,7 @@ if(!show_status) return(0); va_start(args, fmt); -vsprintf(buf, fmt, args); +vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); return(message(LOG_DEBUG, buf)); } @@ -76,7 +76,7 @@ va_list args; va_start(args, fmt); -vsprintf(buf, fmt, args); +vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); return(message(LOG_WARNING, buf)); } @@ -86,7 +86,7 @@ va_list args; va_start(args, fmt); -vsprintf(buf, fmt, args); +vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); message(LOG_ERR, buf); exit(1); @@ -97,7 +97,7 @@ /* only handle errno if this is not an informational message */ if(errno && priority < 5) { - sprintf(buf, "%s: %s", msg, strerror(errno)); + snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(errno)); errno = 0; } else strcpy(buf, msg); if(use_syslog) syslog(priority, "%s", buf); signature.asc Description: PGP signature