Control: patch -1
Hi,
many thanks for the report and the information provided!
> * What led up to the situation?
> During a research project we have found a potential information leak
> in the atftpd daemon from package atftpd, where malformed requests can
> lead to a (partial) leak of the contents of /etc/group.
> […]
> It appears that this bug has been fixed upstream (commit
> 9cf799c40738722001552618518279e9f0ef62e5), and the fix is already
> included in atftpd version 0.7.git20210915-3 in debian testing).
> Yet we were able to reproduce this behavior on debian stable/bullseye
> (atftpd version 0.7.git20120829-3.3+deb11u1) and debian oldstable/buster
> (atftpd version 0.7.git20120829-3.2~deb10u2).
I've prepared packages with the cherry-picked patch for
bullseye (0.7.git20120829-3.3+deb11u2) and
buster (0.7.git20120829-3.2~deb10u3).
Nothing has been uploaded yet to coordinate with the security team first,
debdiff attached.
Best Regards,
Andi
diff -u atftp-0.7.git20120829/debian/changelog
atftp-0.7.git20120829/debian/changelog
--- atftp-0.7.git20120829/debian/changelog
+++ atftp-0.7.git20120829/debian/changelog
@@ -1,3 +1,10 @@
+atftp (0.7.git20120829-3.3+deb11u2) bullseye; urgency=medium
+
+ * Cherry pick 9cf799 from upstream to fix read-past-end-of-array.
+ (Closes: #1004974)
+
+ -- Andreas B. Mundt <a...@debian.org> Fri, 04 Feb 2022 18:09:05 +0100
+
atftp (0.7.git20120829-3.3+deb11u1) bullseye; urgency=medium
* Fix for CVE-2021-41054 (Closes: #994895)
diff -u atftp-0.7.git20120829/options.c atftp-0.7.git20120829/options.c
--- atftp-0.7.git20120829/options.c
+++ atftp-0.7.git20120829/options.c
@@ -43,6 +43,12 @@
struct tftphdr *tftp_data = (struct tftphdr *)data;
size_t size = data_size - sizeof(tftp_data->th_opcode);
+ /* sanity check - requests always end in a null byte,
+ * check to prevent argz_next from reading past the end of
+ * data, as it doesn't do bounds checks */
+ if (data_size == 0 || data[data_size-1] != '\0')
+ return ERR;
+
/* read filename */
entry = argz_next(tftp_data->th_stuff, size, entry);
if (!entry)
@@ -79,6 +85,12 @@
struct tftphdr *tftp_data = (struct tftphdr *)data;
size_t size = data_size - sizeof(tftp_data->th_opcode);
+ /* sanity check - options always end in a null byte,
+ * check to prevent argz_next from reading past the end of
+ * data, as it doesn't do bounds checks */
+ if (data_size == 0 || data[data_size-1] != '\0')
+ return ERR;
+
while ((entry = argz_next(tftp_data->th_stuff, size, entry)))
{
tmp = entry;
diff -u atftp-0.7.git20120829/debian/changelog
atftp-0.7.git20120829/debian/changelog
--- atftp-0.7.git20120829/debian/changelog
+++ atftp-0.7.git20120829/debian/changelog
@@ -1,3 +1,10 @@
+atftp (0.7.git20120829-3.2~deb10u3) buster; urgency=medium
+
+ * Cherry pick 9cf799 from upstream to fix read-past-end-of-array.
+ (Closes: #1004974)
+
+ -- Andreas B. Mundt <a...@debian.org> Fri, 04 Feb 2022 18:47:25 +0100
+
atftp (0.7.git20120829-3.2~deb10u2) buster; urgency=medium
* Fix for CVE-2021-41054 (Closes: #994895)
diff -u atftp-0.7.git20120829/options.c atftp-0.7.git20120829/options.c
--- atftp-0.7.git20120829/options.c
+++ atftp-0.7.git20120829/options.c
@@ -43,6 +43,12 @@
struct tftphdr *tftp_data = (struct tftphdr *)data;
size_t size = data_size - sizeof(tftp_data->th_opcode);
+ /* sanity check - requests always end in a null byte,
+ * check to prevent argz_next from reading past the end of
+ * data, as it doesn't do bounds checks */
+ if (data_size == 0 || data[data_size-1] != '\0')
+ return ERR;
+
/* read filename */
entry = argz_next(tftp_data->th_stuff, size, entry);
if (!entry)
@@ -79,6 +85,12 @@
struct tftphdr *tftp_data = (struct tftphdr *)data;
size_t size = data_size - sizeof(tftp_data->th_opcode);
+ /* sanity check - options always end in a null byte,
+ * check to prevent argz_next from reading past the end of
+ * data, as it doesn't do bounds checks */
+ if (data_size == 0 || data[data_size-1] != '\0')
+ return ERR;
+
while ((entry = argz_next(tftp_data->th_stuff, size, entry)))
{
tmp = entry;
