Control: patch -1
Hi, many thanks for the report and the information provided! > * What led up to the situation? > During a research project we have found a potential information leak > in the atftpd daemon from package atftpd, where malformed requests can > lead to a (partial) leak of the contents of /etc/group. > […] > It appears that this bug has been fixed upstream (commit > 9cf799c40738722001552618518279e9f0ef62e5), and the fix is already > included in atftpd version 0.7.git20210915-3 in debian testing). > Yet we were able to reproduce this behavior on debian stable/bullseye > (atftpd version 0.7.git20120829-3.3+deb11u1) and debian oldstable/buster > (atftpd version 0.7.git20120829-3.2~deb10u2). I've prepared packages with the cherry-picked patch for bullseye (0.7.git20120829-3.3+deb11u2) and buster (0.7.git20120829-3.2~deb10u3). Nothing has been uploaded yet to coordinate with the security team first, debdiff attached. Best Regards, Andi
diff -u atftp-0.7.git20120829/debian/changelog atftp-0.7.git20120829/debian/changelog --- atftp-0.7.git20120829/debian/changelog +++ atftp-0.7.git20120829/debian/changelog @@ -1,3 +1,10 @@ +atftp (0.7.git20120829-3.3+deb11u2) bullseye; urgency=medium + + * Cherry pick 9cf799 from upstream to fix read-past-end-of-array. + (Closes: #1004974) + + -- Andreas B. Mundt <a...@debian.org> Fri, 04 Feb 2022 18:09:05 +0100 + atftp (0.7.git20120829-3.3+deb11u1) bullseye; urgency=medium * Fix for CVE-2021-41054 (Closes: #994895) diff -u atftp-0.7.git20120829/options.c atftp-0.7.git20120829/options.c --- atftp-0.7.git20120829/options.c +++ atftp-0.7.git20120829/options.c @@ -43,6 +43,12 @@ struct tftphdr *tftp_data = (struct tftphdr *)data; size_t size = data_size - sizeof(tftp_data->th_opcode); + /* sanity check - requests always end in a null byte, + * check to prevent argz_next from reading past the end of + * data, as it doesn't do bounds checks */ + if (data_size == 0 || data[data_size-1] != '\0') + return ERR; + /* read filename */ entry = argz_next(tftp_data->th_stuff, size, entry); if (!entry) @@ -79,6 +85,12 @@ struct tftphdr *tftp_data = (struct tftphdr *)data; size_t size = data_size - sizeof(tftp_data->th_opcode); + /* sanity check - options always end in a null byte, + * check to prevent argz_next from reading past the end of + * data, as it doesn't do bounds checks */ + if (data_size == 0 || data[data_size-1] != '\0') + return ERR; + while ((entry = argz_next(tftp_data->th_stuff, size, entry))) { tmp = entry;
diff -u atftp-0.7.git20120829/debian/changelog atftp-0.7.git20120829/debian/changelog --- atftp-0.7.git20120829/debian/changelog +++ atftp-0.7.git20120829/debian/changelog @@ -1,3 +1,10 @@ +atftp (0.7.git20120829-3.2~deb10u3) buster; urgency=medium + + * Cherry pick 9cf799 from upstream to fix read-past-end-of-array. + (Closes: #1004974) + + -- Andreas B. Mundt <a...@debian.org> Fri, 04 Feb 2022 18:47:25 +0100 + atftp (0.7.git20120829-3.2~deb10u2) buster; urgency=medium * Fix for CVE-2021-41054 (Closes: #994895) diff -u atftp-0.7.git20120829/options.c atftp-0.7.git20120829/options.c --- atftp-0.7.git20120829/options.c +++ atftp-0.7.git20120829/options.c @@ -43,6 +43,12 @@ struct tftphdr *tftp_data = (struct tftphdr *)data; size_t size = data_size - sizeof(tftp_data->th_opcode); + /* sanity check - requests always end in a null byte, + * check to prevent argz_next from reading past the end of + * data, as it doesn't do bounds checks */ + if (data_size == 0 || data[data_size-1] != '\0') + return ERR; + /* read filename */ entry = argz_next(tftp_data->th_stuff, size, entry); if (!entry) @@ -79,6 +85,12 @@ struct tftphdr *tftp_data = (struct tftphdr *)data; size_t size = data_size - sizeof(tftp_data->th_opcode); + /* sanity check - options always end in a null byte, + * check to prevent argz_next from reading past the end of + * data, as it doesn't do bounds checks */ + if (data_size == 0 || data[data_size-1] != '\0') + return ERR; + while ((entry = argz_next(tftp_data->th_stuff, size, entry))) { tmp = entry;