Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package net-tools for openSUSE:Factory checked in at 2026-05-04 21:17:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/net-tools (Old) and /work/SRC/openSUSE:Factory/.net-tools.new.30200 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "net-tools" Mon May 4 21:17:11 2026 rev:67 rq:1350600 version:3.14~alpha~git.20251212.7011617 Changes: -------- --- /work/SRC/openSUSE:Factory/net-tools/net-tools.changes 2025-11-01 23:34:33.458325009 +0100 +++ /work/SRC/openSUSE:Factory/.net-tools.new.30200/net-tools.changes 2026-05-04 21:17:19.588105072 +0200 @@ -1,0 +2,30 @@ +Mon Apr 27 08:39:16 UTC 2026 - Stanislav Brabec <[email protected]> + +- Switch to the latest snapshot of the new active upstream: + https://github.com/ecki/net-tools (jsc#PED-14308). +- Update to version 3.14~alpha~git.20251212.7011617: + * Merges all useful downstream contributions. Obsoletes following + patches: 0007-Introduce-T-notrim-option-in-netstat.patch, + net-tools-CVE-2025-46836.patch, + net-tools-CVE-2025-46836-regression.patch, + net-tools-CVE-2025-46836-error-reporting.patch, + net-tools-parse_hex-stack-overflow.patch, + net-tools-proc_gen_fmt-buffer-overflow.patch, + net-tools-ifconfig-avoid-unsafe-memcpy.patch, + net-tools-ax25+netrom-overflow-1.patch, + net-tools-ax25+netrom-overflow-2.patch, + net-tools-ifconfig-long-name-warning.patch. + * Translation updates. + * Minor fixes. + * Defaults changes: + * Enable Bluetooth protocol family, Token ring (generic) + support and SELinux support. + +------------------------------------------------------------------- +Mon Apr 20 07:57:29 UTC 2026 - Stanislav Brabec <[email protected]> + +- Prevent denial of service via terminal escape sequences injection + (bsc#1254323, gh#ecki/net-tools#2109, CVE-2024-58251, + net-tools-netstat-ansi-injection.patch). + +------------------------------------------------------------------- Old: ---- 0007-Introduce-T-notrim-option-in-netstat.patch net-tools-2.10.tar.xz net-tools-CVE-2025-46836-error-reporting.patch net-tools-CVE-2025-46836-regression.patch net-tools-CVE-2025-46836.patch net-tools-ax25+netrom-overflow-1.patch net-tools-ax25+netrom-overflow-2.patch net-tools-ifconfig-avoid-unsafe-memcpy.patch net-tools-ifconfig-long-name-warning.patch net-tools-parse_hex-stack-overflow.patch net-tools-proc_gen_fmt-buffer-overflow.patch New: ---- _service _servicedata net-tools-3.14~alpha~git.20251212.7011617.obscpio net-tools-netstat-ansi-injection.patch net-tools.obsinfo ----------(Old B)---------- Old: * Merges all useful downstream contributions. Obsoletes following patches: 0007-Introduce-T-notrim-option-in-netstat.patch, net-tools-CVE-2025-46836.patch, Old: net-tools-CVE-2025-46836-regression.patch, net-tools-CVE-2025-46836-error-reporting.patch, net-tools-parse_hex-stack-overflow.patch, Old: net-tools-CVE-2025-46836.patch, net-tools-CVE-2025-46836-regression.patch, net-tools-CVE-2025-46836-error-reporting.patch, Old: patches: 0007-Introduce-T-notrim-option-in-netstat.patch, net-tools-CVE-2025-46836.patch, net-tools-CVE-2025-46836-regression.patch, Old: net-tools-ifconfig-avoid-unsafe-memcpy.patch, net-tools-ax25+netrom-overflow-1.patch, net-tools-ax25+netrom-overflow-2.patch, Old: net-tools-ax25+netrom-overflow-1.patch, net-tools-ax25+netrom-overflow-2.patch, net-tools-ifconfig-long-name-warning.patch. Old: net-tools-proc_gen_fmt-buffer-overflow.patch, net-tools-ifconfig-avoid-unsafe-memcpy.patch, net-tools-ax25+netrom-overflow-1.patch, Old: net-tools-ax25+netrom-overflow-2.patch, net-tools-ifconfig-long-name-warning.patch. * Translation updates. Old: net-tools-CVE-2025-46836-error-reporting.patch, net-tools-parse_hex-stack-overflow.patch, net-tools-proc_gen_fmt-buffer-overflow.patch, Old: net-tools-parse_hex-stack-overflow.patch, net-tools-proc_gen_fmt-buffer-overflow.patch, net-tools-ifconfig-avoid-unsafe-memcpy.patch, ----------(Old E)---------- ----------(New B)---------- New: (bsc#1254323, gh#ecki/net-tools#2109, CVE-2024-58251, net-tools-netstat-ansi-injection.patch). ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ net-tools.spec ++++++ --- /var/tmp/diff_new_pack.YFVvTu/_old 2026-05-04 21:17:20.196129971 +0200 +++ /var/tmp/diff_new_pack.YFVvTu/_new 2026-05-04 21:17:20.196129971 +0200 @@ -1,7 +1,7 @@ # # spec file for package net-tools # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,40 +17,20 @@ Name: net-tools -# The real version is 2.10. But we dropped downstream ether-wake, so bump version to detect this change. -# When an upstream update will appear, return back lines marked with #E# -%define _version 2.10 -Version: 2.10+1 +Version: 3.14~alpha~git.20251212.7011617 Release: 0 Summary: Important Programs for Networking License: GPL-2.0-or-later Group: Productivity/Networking/Other -URL: https://sourceforge.net/projects/net-tools/ -#E#Source: https://sourceforge.net/projects/net-tools/files/net-tools-%%{version}.tar.xz -Source: https://sourceforge.net/projects/net-tools/files/net-tools-%{_version}.tar.xz -# PATCH-FEATURE-SUSE: set configure values to our liking as we do not need -# everything here +URL: https://github.com/ecki/net-tools +Source: net-tools-%{version}.tar.xz +# PATCH-FEATURE-SUSE net-tools-configure.patch -- Set configure values to our liking as we do not need everything here. Patch0: net-tools-configure.patch -Patch7: 0007-Introduce-T-notrim-option-in-netstat.patch -# PATCH-FIX-SECURITY net-tools-CVE-2025-46836.patch bsc1243581 [email protected] -- Perform bound checks when parsing interface labels in /proc/net/dev. -Patch8: net-tools-CVE-2025-46836.patch -# PATCH-FIX-UPSTREAM net-tools-CVE-2025-46836-regression.patch bsc1243581 [email protected] -- Fix regression introduced by net-tools-CVE-2025-46836.patch. -Patch9: net-tools-CVE-2025-46836-regression.patch -# PATCH-FIX-UPSTREAM net-tools-CVE-2025-46836-error-reporting.patch bsc1243581 [email protected] -- Provide more readable error for interface name size checking. -Patch10: net-tools-CVE-2025-46836-error-reporting.patch -# PATCH-FIX-SECURITY net-tools-parse_hex-stack-overflow.patch bsc1248410 [email protected] -- Fix stack buffer overflow in parse_hex. -Patch11: net-tools-parse_hex-stack-overflow.patch -# PATCH-FIX-SECURITY net-tools-proc_gen_fmt-buffer-overflow.patch bsc1248410 [email protected] -- Fix stack-based buffer overflow in proc_gen_fmt. -Patch12: net-tools-proc_gen_fmt-buffer-overflow.patch -# PATCH-FIX-SECURITY net-tools-ifconfig-avoid-unsafe-memcpy.patch bsc1248410 [email protected] -- Avoid unsafe memcpy in ifconfig. -Patch13: net-tools-ifconfig-avoid-unsafe-memcpy.patch -# PATCH-FIX-SECURITY net-tools-ax25+netrom-overflow-1.patch bsc1248410 [email protected] -- Prevent overflow in ax25 and netrom. -Patch14: net-tools-ax25+netrom-overflow-1.patch -# PATCH-FIX-SECURITY net-tools-ax25+netrom-overflow-2.patch bsc1248410 [email protected] -- Prevent overflow in ax25 and netrom. -Patch15: net-tools-ax25+netrom-overflow-2.patch -# PATCH-FIX-UPSTREAM net-tools-ifconfig-long-name-warning.patch bsc1248410 [email protected] -- Allow to enter long interface names again. -Patch16: net-tools-ifconfig-long-name-warning.patch +# PATCH-FIX-SECURITY net-tools-netstat-ansi-injection.patch bsc1254323 gh#ecki/net-tools#2109 CVE-2024-58251 [email protected] -- Prevent denial of service via terminal escape sequences injection. +Patch1: net-tools-netstat-ansi-injection.patch +BuildRequires: bluez-devel BuildRequires: help2man +BuildRequires: libselinux-devel Recommends: traceroute >= 2.0.0 %description @@ -81,7 +61,7 @@ %prep #E#%%setup -q -%setup -q -n %{name}-%{_version} +%setup -q -n %{name}-%{version} %autopatch -p1 %build @@ -107,7 +87,7 @@ %if 0%{?suse_version} < 1550 mkdir -p %{buildroot}/sbin mkdir -p %{buildroot}/bin -for i in ether-wake nameif plipconfig slattach arp ipmaddr iptunnel; do +for i in nameif plipconfig slattach arp ipmaddr iptunnel; do ln -s %{_sbindir}/$i %{buildroot}/sbin/$i done for i in netstat ifconfig route; do ++++++ _service ++++++ <services> <service name="obs_scm" mode="manual"> <param name="url">https://github.com/ecki/net-tools.git</param> <param name="scm">git</param> <param name="versionformat">%cd.%h</param> <param name="versionprefix">3.14~alpha~git</param> <param name="changesgenerate">enable</param> <param name="changesauthor">Stanislav Brabec <[email protected]></param> </service> <service name="tar" mode="buildtime"/> <service name="recompress" mode="buildtime"> <param name="file">*.tar</param> <param name="compression">xz</param> </service> <service name="set_version" mode="manual"/> </services> ++++++ _servicedata ++++++ <servicedata> <service name="tar_scm"> <param name="url">[email protected]:ecki/net-tools.git</param> <param name="changesrevision">701161795e87a3b475afd7e3eb27885332cd90cb</param></service><service name="tar_scm"> <param name="url">https://github.com/ecki/net-tools.git</param> <param name="changesrevision">701161795e87a3b475afd7e3eb27885332cd90cb</param></service></servicedata> (No newline at EOF) ++++++ net-tools-configure.patch ++++++ --- /var/tmp/diff_new_pack.YFVvTu/_old 2026-05-04 21:17:20.272133084 +0200 +++ /var/tmp/diff_new_pack.YFVvTu/_new 2026-05-04 21:17:20.276133248 +0200 @@ -1,16 +1,7 @@ -Index: net-tools-2.10/config.in +Index: net-tools-3.14~alpha~git.20251212.7011617/config.in =================================================================== ---- net-tools-2.10.orig/config.in -+++ net-tools-2.10/config.in -@@ -42,7 +42,7 @@ - * course, welcome. Answer `n' here if you have no support for - * internationalization on your system. - * --bool 'Does your system support GNU gettext?' I18N n -+bool 'Does your system support GNU gettext?' I18N y - * - * - * Protocol Families. +--- net-tools-3.14~alpha~git.20251212.7011617.orig/config.in ++++ net-tools-3.14~alpha~git.20251212.7011617/config.in @@ -91,10 +91,10 @@ bool 'InfiniBand hardware support' HAVE_ * bool 'IP Masquerading support' HAVE_FW_MASQUERADE y @@ -24,11 +15,11 @@ +bool 'Build mii-tool' HAVE_MII n bool 'Build plipconfig' HAVE_PLIP_TOOLS y bool 'Build slattach' HAVE_SERIAL_TOOLS y - bool 'SELinux support' HAVE_SELINUX n -Index: net-tools-2.10/configure.sh + bool 'SELinux support' HAVE_SELINUX y +Index: net-tools-3.14~alpha~git.20251212.7011617/configure.sh =================================================================== ---- net-tools-2.10.orig/configure.sh -+++ net-tools-2.10/configure.sh +--- net-tools-3.14~alpha~git.20251212.7011617.orig/configure.sh ++++ net-tools-3.14~alpha~git.20251212.7011617/configure.sh @@ -66,9 +66,8 @@ config_fd_redir='<&7' # function readln() ++++++ net-tools-netstat-ansi-injection.patch ++++++ >From d0732f25ff1b92427bb3382535b97fa6214d2a54 Mon Sep 17 00:00:00 2001 From: Stanislav Brabec <[email protected]> Date: Mon, 30 Mar 2026 03:58:16 +0200 Subject: [PATCH] netstat: Fix possible ANSI terminal injection Convert special characters in the process name to "?" to prevent sending arbitrary characters to terminal. For example (ln -sf /usr/bin/nc /tmp/nc$(printf '\033[1m;'); /tmp/nc* -l 31337 &); netstat -alp causes terminal switching to bold. Other sequences can hide lines in the listing or lock the terminal. The problem was originally reported for busybox and is known as CVE-2024-58251. The escape_str.c code is based on procps and modified by Stephen Hemminger <[email protected]> for iproute2 ss. Reference: https://lore.kernel.org/all/[email protected]/ Due to the licensing reasons, the code is kept in a separate file. Fixes https://github.com/ecki/net-tools/issues/57 --- include/escape.h | 28 ++++++++++++ lib/Makefile | 2 +- lib/escape.c | 109 +++++++++++++++++++++++++++++++++++++++++++++++ netstat.c | 6 ++- 4 files changed, 142 insertions(+), 3 deletions(-) create mode 100644 include/escape.h create mode 100644 lib/escape.c diff --git a/include/escape.h b/include/escape.h new file mode 100644 index 0000000..e1a4e47 --- /dev/null +++ b/include/escape.h @@ -0,0 +1,28 @@ +/* + * escape.h - printing handling + * + * Copyright © 2011-2023 Jim Warner <[email protected]> + * Copyright © 2016-2023 Craig Small <[email protected]> + * Copyright © 1998-2005 Albert Cahalan + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef PROCPS_PROC_ESCAPE_H +#define PROCPS_PROC_ESCAPE_H + +int escape_str (char *dst, const char *src, int bufsize); + +#endif diff --git a/lib/Makefile b/lib/Makefile index 8347645..c16332e 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -21,7 +21,7 @@ AFOBJS = unix.o inet.o inet6.o ax25.o ipx.o ddp.o ipx.o netrom.o af.o rose.o ec AFGROBJS = inet_gr.o inet6_gr.o ipx_gr.o ddp_gr.o netrom_gr.o ax25_gr.o rose_gr.o getroute.o x25_gr.o AFSROBJS = inet_sr.o inet6_sr.o netrom_sr.o ipx_sr.o setroute.o x25_sr.o ACTOBJS = slip_ac.o ppp_ac.o activate.o -VARIA = getargs.o masq_info.o proc.o util.o nstrcmp.o interface.o sockets.o +VARIA = getargs.o masq_info.o proc.o util.o nstrcmp.o interface.o sockets.o escape.o # Default Name NET_LIB_NAME = net-tools diff --git a/lib/escape.c b/lib/escape.c new file mode 100644 index 0000000..1c3d0eb --- /dev/null +++ b/lib/escape.c @@ -0,0 +1,109 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * Escape character print handling derived from procps + * Copyright 1998-2002 by Albert Cahalan + * Copyright 2020-2022 Jim Warner <[email protected]> + * + */ + +#include <limits.h> +#include <stdio.h> +#include <string.h> +#include <langinfo.h> + +static const char UTF_tab[] = { + 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, // 0x00 - 0x0F + 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, // 0x10 - 0x1F + 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, // 0x20 - 0x2F + 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, // 0x30 - 0x3F + 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, // 0x40 - 0x4F + 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, // 0x50 - 0x5F + 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, // 0x60 - 0x6F + 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, // 0x70 - 0x7F + -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, // 0x80 - 0x8F + -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, // 0x90 - 0x9F + -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, // 0xA0 - 0xAF + -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, // 0xB0 - 0xBF + -1, -1, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, // 0xC0 - 0xCF + 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, // 0xD0 - 0xDF + 3, 3, 3, 3, 3, 3, 3, 3, + 3, 3, 3, 3, 3, 3, 3, 3, // 0xE0 - 0xEF + 4, 4, 4, 4, 4, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, // 0xF0 - 0xFF +}; + +static const unsigned char ESC_tab[] = { + "@..............................." // 0x00 - 0x1F + "||||||||||||||||||||||||||||||||" // 0x20 - 0x3F + "||||||||||||||||||||||||||||||||" // 0x40 - 0x5f + "|||||||||||||||||||||||||||||||." // 0x60 - 0x7F + "????????????????????????????????" // 0x80 - 0x9F + "????????????????????????????????" // 0xA0 - 0xBF + "????????????????????????????????" // 0xC0 - 0xDF + "????????????????????????????????" // 0xE0 - 0xFF +}; + +static void esc_all(unsigned char *str) +{ + // if bad locale/corrupt str, replace non-printing stuff + while (*str) { + unsigned char c = ESC_tab[*str]; + + if (c != '|') + *str = c; + ++str; + } +} + +static void esc_ctl(unsigned char *str, int len) +{ + int i; + + for (i = 0; i < len;) { + // even with a proper locale, strings might be corrupt + int n = UTF_tab[*str]; + + if (n < 0 || i + n > len) { + esc_all(str); + return; + } + // and eliminate those non-printing control characters + if (*str < 0x20 || *str == 0x7f) + *str = '?'; + str += n; + i += n; + } +} + +int escape_str(char *dst, const char *src, int bufsize) +{ + static int utf_sw; + + if (utf_sw == 0) { + char *enc = nl_langinfo(CODESET); + + utf_sw = enc && strcasecmp(enc, "UTF-8") == 0 ? 1 : -1; + } + + int n = strlcpy(dst, src, bufsize); + + if (utf_sw < 0) + esc_all((unsigned char *)dst); + else + esc_ctl((unsigned char *)dst, n); + return n; +} diff --git a/netstat.c b/netstat.c index 8475ee7..8dcab6b 100644 --- a/netstat.c +++ b/netstat.c @@ -96,6 +96,7 @@ #include "interface.h" #include "util.h" #include "proc.h" +#include "escape.h" #if HAVE_SELINUX #include <selinux/selinux.h> @@ -397,7 +398,7 @@ static void prg_cache_load(void) { char line[LINE_MAX], eacces=0; int procfdlen, fd, cmdllen, lnamelen; - char lname[30], cmdlbuf[512], finbuf[PROGNAME_WIDTH]; + char lname[30], cmdlbuf[512], ecmdlbuf[512], finbuf[PROGNAME_WIDTH]; unsigned long inode; const char *cs, *cmdlp; DIR *dirproc = NULL, *dirfd = NULL; @@ -467,10 +468,11 @@ static void prg_cache_load(void) cmdlp++; else cmdlp = cmdlbuf; + escape_str (ecmdlbuf, cmdlp, 512); } // pid can be up to 10, use rest from commandline start. // #pragma GCC diagnostic ignored "-Wformat-truncation"? - snprintf(finbuf, sizeof(finbuf), "%s/%s", direproc->d_name, cmdlp); + snprintf(finbuf, sizeof(finbuf), "%s/%s", direproc->d_name, ecmdlbuf); #if HAVE_SELINUX if (getpidcon(atoi(direproc->d_name), &scon) == -1) { scon=xstrdup("-"); -- 2.51.0 ++++++ net-tools.obsinfo ++++++ name: net-tools version: 3.14~alpha~git.20251212.7011617 mtime: 1765575607 commit: 701161795e87a3b475afd7e3eb27885332cd90cb
