subject:"buffer overflow vulnerability in netmask 2.3.12"

Re: buffer overflow vulnerability in netmask 2.3.12

2019-02-06 Thread Antoine Beaupré

On 2019-02-06 21:52:35, Guilhem Moulin wrote:
> Hi anarcat,
>
> On Wed, 06 Feb 2019 at 14:13:23 -0500, Antoine Beaupré wrote:
>> 4. issue a DLA when the package is accepted
>
> I wouldn't mind if you or another LTS team member were talking care of
> this one :-)

Alright, DLA coming right up! :)

A.

-- 
We should act only in such away that if everyone 
else acted as we do, we would accept the results.
- Emmanuel Kant

Re: buffer overflow vulnerability in netmask 2.3.12

2019-02-06 Thread Guilhem Moulin

Hi anarcat,

On Wed, 06 Feb 2019 at 14:13:23 -0500, Antoine Beaupré wrote:
> On 2019-02-06 01:59:58, Guilhem Moulin wrote:
>> * Upstream hasn't yet filed a CVE for this issue; I forwarded jmm's
>> instructions regarding this.
> 
> Sorry, forwarded where? Did I miss something?

Ah sorry, that's indeed rather unclear.  I told the Security Team I was
unsure what the next steps were, since up to now CVEs on the packages I
maintain have always been assigned either by a security team member or
by upstream itself.  Moritz suggested that upstream files this CVE
themselves and provided a link to an online form, which I forwarded
(privately) to upstream :-)

> 1. open a bug report in the BTS

Was about to do that, but (as often) carnil was faster ;-)

> 2. mention it in the changelog
> 3. upload the package to security-master

Done, and new debdiff attached.

> 4. issue a DLA when the package is accepted

I wouldn't mind if you or another LTS team member were talking care of
this one :-)

Thanks!
-- 
Guilhem.
diff -Nru netmask-2.3.12/debian/changelog netmask-2.3.12+deb8u1/debian/changelog
--- netmask-2.3.12/debian/changelog 2010-04-26 04:29:39.0 +0200
+++ netmask-2.3.12+deb8u1/debian/changelog  2019-02-06 01:08:09.0 
+0100
@@ -1,3 +1,10 @@
+netmask (2.3.12+deb8u1) jessie-security; urgency=medium
+
+  * Fix buffer overflow vulnerability. Closes: #921565.
+https://github.com/tlby/netmask/issues/3
+
+ -- Guilhem Moulin   Wed, 06 Feb 2019 01:08:09 +0100
+
 netmask (2.3.12) unstable; urgency=low
 
   * Include patches directly in source because it's a native package 
diff -Nru netmask-2.3.12/debian/control netmask-2.3.12+deb8u1/debian/control
--- netmask-2.3.12/debian/control   2010-04-26 04:29:39.0 +0200
+++ netmask-2.3.12+deb8u1/debian/control2019-02-06 01:08:09.0 
+0100
@@ -1,7 +1,7 @@
 Source: netmask
 Section: net
 Priority: optional
-Maintainer: Luis Uribe 
+Maintainer: Guilhem Moulin 
 Build-Depends: debhelper (>= 5), texinfo
 Standards-Version: 3.8.4
 
diff -Nru netmask-2.3.12/errors.c netmask-2.3.12+deb8u1/errors.c
--- netmask-2.3.12/errors.c 2010-04-26 04:29:39.0 +0200
+++ netmask-2.3.12+deb8u1/errors.c  2019-02-06 01:04:57.0 +0100
@@ -66,7 +66,7 @@
 
 if(!show_status) return(0);
 va_start(args, fmt);
-vsprintf(buf, fmt, args);
+vsnprintf(buf, sizeof(buf), fmt, args);
 va_end(args);
 return(message(LOG_DEBUG, buf));
 }
@@ -76,7 +76,7 @@
 va_list args;
 
 va_start(args, fmt);
-vsprintf(buf, fmt, args);
+vsnprintf(buf, sizeof(buf), fmt, args);
 va_end(args);
 return(message(LOG_WARNING, buf));
 }
@@ -86,7 +86,7 @@
 va_list args;
 
 va_start(args, fmt);
-vsprintf(buf, fmt, args);
+vsnprintf(buf, sizeof(buf), fmt, args);
 va_end(args);
 message(LOG_ERR, buf);
 exit(1);
@@ -97,7 +97,7 @@
 
 /* only handle errno if this is not an informational message */
 if(errno && priority < 5) {
-   sprintf(buf, "%s: %s", msg, strerror(errno));
+   snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(errno));
errno = 0;
 } else strcpy(buf, msg);
 if(use_syslog) syslog(priority, "%s", buf);


signature.asc
Description: PGP signature

Re: buffer overflow vulnerability in netmask 2.3.12

2019-02-06 Thread Antoine Beaupré

On 2019-02-06 01:59:58, Guilhem Moulin wrote:
> Dear LTS team,

Hi Guilhem!

> A buffer overflow vulnerability was recently found in the netmask
> package (a small utility that helps determining network masks):
>
> https://github.com/tlby/netmask/issues/3
>
> The Security Team argued that the version in stretch (2.4.3-1) doesn't
> warrant a DSA as the program is built with hardening options enabled
> (thus turning the buffer overflow vulnerability into an harmless clash),
> but that's not the case for the version in jessie (2.3.12), so I guess
> it makes sense to upload a +deb8u1.

Agreed.

> I attach a debdiff with a trivial fix backported from 2.4.4, more
> specifically the ‘errors.c’ part of
>
> 
> https://github.com/tlby/netmask/commit/29a9c239bd1008363f5b34ffd6c2cef906f3660c
>
> For convenience, you can also find the source package at
>
> dget -x https://people.debian.org/~guilhem/tmp/netmask_2.3.12+deb8u1.dsc
>
> Notes:
>  * I only started maintaining this package after jessie was frozen, but
>the previous maintainer is no longer active and I thus took the
>liberty to update the ‘Maintainer’ field in d/control accordingly.

While this is usually a superfluous change, I think that in this case it
makes sense so we know who to talk with the next time a problem happens
(which will hopefully be never :).

>  * Before 2.4.2-1 the package was (incorrectly) native, so in this
>jessie-security package I applied the fix directly to the upstream
>source rather than going via a patch series.
>  * Upstream hasn't yet filed a CVE for this issue; I forwarded jmm's
>instructions regarding this.

Sorry, forwarded where? Did I miss something?

Ideally, we would have at least one Debian-specific tracking number if
we don't have a CVE. A bug in the BTS would do, for example. I'd be
happy to do that administrativa if you wish.

[...]

The patch otherwise looks sound and should be uploaded.

I believe the next step is to:

 1. open a bug report in the BTS
 2. mention it in the changelog
 3. upload the package to security-master
 4. issue a DLA when the package is accepted

I'd be happy, like anyone else in the LTS team I'm sure, to take on any
or all of those tasks, at your discretion.

Cheers,

A.
-- 
Un éducateur dans l'âme ne prend rien au sérieux que par rapport
à ses disciples -- soi-même non excepté.
- Nietzsche, "Par delà le bien et le mal"

buffer overflow vulnerability in netmask 2.3.12

2019-02-05 Thread Guilhem Moulin

Dear LTS team,

A buffer overflow vulnerability was recently found in the netmask
package (a small utility that helps determining network masks):

https://github.com/tlby/netmask/issues/3

The Security Team argued that the version in stretch (2.4.3-1) doesn't
warrant a DSA as the program is built with hardening options enabled
(thus turning the buffer overflow vulnerability into an harmless clash),
but that's not the case for the version in jessie (2.3.12), so I guess
it makes sense to upload a +deb8u1.

I attach a debdiff with a trivial fix backported from 2.4.4, more
specifically the ‘errors.c’ part of


https://github.com/tlby/netmask/commit/29a9c239bd1008363f5b34ffd6c2cef906f3660c

For convenience, you can also find the source package at

dget -x https://people.debian.org/~guilhem/tmp/netmask_2.3.12+deb8u1.dsc

Notes:
 * I only started maintaining this package after jessie was frozen, but
   the previous maintainer is no longer active and I thus took the
   liberty to update the ‘Maintainer’ field in d/control accordingly.
 * Before 2.4.2-1 the package was (incorrectly) native, so in this
   jessie-security package I applied the fix directly to the upstream
   source rather than going via a patch series.
 * Upstream hasn't yet filed a CVE for this issue; I forwarded jmm's
   instructions regarding this.

Thanks!
-- 
Guilhem.
diff -Nru netmask-2.3.12/debian/changelog netmask-2.3.12+deb8u1/debian/changelog
--- netmask-2.3.12/debian/changelog 2010-04-26 04:29:39.0 +0200
+++ netmask-2.3.12+deb8u1/debian/changelog  2019-02-06 01:08:09.0 
+0100
@@ -1,3 +1,10 @@
+netmask (2.3.12+deb8u1) jessie-security; urgency=medium
+
+  * Fix buffer overflow vulnerability
+https://github.com/tlby/netmask/issues/3
+
+ -- Guilhem Moulin   Wed, 06 Feb 2019 01:08:09 +0100
+
 netmask (2.3.12) unstable; urgency=low
 
   * Include patches directly in source because it's a native package 
diff -Nru netmask-2.3.12/debian/control netmask-2.3.12+deb8u1/debian/control
--- netmask-2.3.12/debian/control   2010-04-26 04:29:39.0 +0200
+++ netmask-2.3.12+deb8u1/debian/control2019-02-06 01:08:09.0 
+0100
@@ -1,7 +1,7 @@
 Source: netmask
 Section: net
 Priority: optional
-Maintainer: Luis Uribe 
+Maintainer: Guilhem Moulin 
 Build-Depends: debhelper (>= 5), texinfo
 Standards-Version: 3.8.4
 
diff -Nru netmask-2.3.12/errors.c netmask-2.3.12+deb8u1/errors.c
--- netmask-2.3.12/errors.c 2010-04-26 04:29:39.0 +0200
+++ netmask-2.3.12+deb8u1/errors.c  2019-02-06 01:04:57.0 +0100
@@ -66,7 +66,7 @@
 
 if(!show_status) return(0);
 va_start(args, fmt);
-vsprintf(buf, fmt, args);
+vsnprintf(buf, sizeof(buf), fmt, args);
 va_end(args);
 return(message(LOG_DEBUG, buf));
 }
@@ -76,7 +76,7 @@
 va_list args;
 
 va_start(args, fmt);
-vsprintf(buf, fmt, args);
+vsnprintf(buf, sizeof(buf), fmt, args);
 va_end(args);
 return(message(LOG_WARNING, buf));
 }
@@ -86,7 +86,7 @@
 va_list args;
 
 va_start(args, fmt);
-vsprintf(buf, fmt, args);
+vsnprintf(buf, sizeof(buf), fmt, args);
 va_end(args);
 message(LOG_ERR, buf);
 exit(1);
@@ -97,7 +97,7 @@
 
 /* only handle errno if this is not an informational message */
 if(errno && priority < 5) {
-   sprintf(buf, "%s: %s", msg, strerror(errno));
+   snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(errno));
errno = 0;
 } else strcpy(buf, msg);
 if(use_syslog) syslog(priority, "%s", buf);


signature.asc
Description: PGP signature

Re: buffer overflow vulnerability in netmask 2.3.12

Re: buffer overflow vulnerability in netmask 2.3.12

Re: buffer overflow vulnerability in netmask 2.3.12

buffer overflow vulnerability in netmask 2.3.12

4 matches

Site Navigation

Mail list logo

Footer information