Your message dated Thu, 22 Aug 2019 03:18:42 +0000 with message-id <[email protected]> and subject line Bug#935332: Removed package(s) from unstable has caused the Debian Bug report #933674, regarding Buffer overflow during processing of large server replies in "pump" to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 933674: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933674 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: pump Version: 0.8.24-7.1 Severity: grave Tags: security There is a missing check in source file dhcp.c, function handleTransaction(), line 958 when copying body of the server response to struct bootpRequest bresp. Ethernet packet length can be greater than sizeof(*bresp) == 548 but handleTransaction() only checks (line 914) that j - sizeof (*ipHdr) - sizeof (*udpHdr) is non-negative. This allows attacker to overwrite up to ETH_FRAME_LEN - sizeof(*ipHdr) - sizeof(*udpHdr) - sizeof(*bresp) bytes of the stack memory. If compiler hardening is disabled then this vulnerability can lead to execution of arbitrary code. I am not sure whether this is practically exploitable when "-fstack-protector" is enabled. I suggest applying the attached patch, however it is not tested.--- dhcp.c 2019-03-01 00:00:00.000000000 +0000 +++ dhcp.c 2019-07-30 00:00:00.000000000 +0000 @@ -946,6 +946,13 @@ static char * handleTransaction(int s, s continue; if (udpHdr->dest != bootp_client_port) continue; + + /* Relevant responses cannot exceed sizeof (*bresp) due to + the value of DHCP_OPTION_MAXSIZE being set to it in our + requests. */ + if (j - sizeof (*ipHdr) - sizeof (*udpHdr) > sizeof (*bresp)) + continue; + /* Go on with this packet; it looks sane */ /* Originally copied sizeof (*bresp) - this is a security
--- End Message ---
--- Begin Message ---Version: 0.8.24-7.1+rm Dear submitter, as the package pump has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see https://bugs.debian.org/935332 The version of this package that was in Debian prior to this removal can still be found using http://snapshot.debian.org/. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]. Debian distribution maintenance software pp. Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---
