buffer overflow vulnerability in netmask 2.3.12

Tue, 05 Feb 2019 17:09:15 -0800 

Dear LTS team,

A buffer overflow vulnerability was recently found in the netmask
package (a small utility that helps determining network masks):

    https://github.com/tlby/netmask/issues/3

The Security Team argued that the version in stretch (2.4.3-1) doesn't
warrant a DSA as the program is built with hardening options enabled
(thus turning the buffer overflow vulnerability into an harmless clash),
but that's not the case for the version in jessie (2.3.12), so I guess
it makes sense to upload a +deb8u1.

I attach a debdiff with a trivial fix backported from 2.4.4, more
specifically the ‘errors.c’ part of

    
https://github.com/tlby/netmask/commit/29a9c239bd1008363f5b34ffd6c2cef906f3660c

For convenience, you can also find the source package at

    dget -x https://people.debian.org/~guilhem/tmp/netmask_2.3.12+deb8u1.dsc

Notes:
 * I only started maintaining this package after jessie was frozen, but
   the previous maintainer is no longer active and I thus took the
   liberty to update the ‘Maintainer’ field in d/control accordingly.
 * Before 2.4.2-1 the package was (incorrectly) native, so in this
   jessie-security package I applied the fix directly to the upstream
   source rather than going via a patch series.
 * Upstream hasn't yet filed a CVE for this issue; I forwarded jmm's
   instructions regarding this.

Thanks!
-- 
Guilhem.

diff -Nru netmask-2.3.12/debian/changelog netmask-2.3.12+deb8u1/debian/changelog
--- netmask-2.3.12/debian/changelog     2010-04-26 04:29:39.000000000 +0200
+++ netmask-2.3.12+deb8u1/debian/changelog      2019-02-06 01:08:09.000000000 
+0100
@@ -1,3 +1,10 @@
+netmask (2.3.12+deb8u1) jessie-security; urgency=medium
+
+  * Fix buffer overflow vulnerability
+    https://github.com/tlby/netmask/issues/3
+
+ -- Guilhem Moulin <guil...@debian.org>  Wed, 06 Feb 2019 01:08:09 +0100
+
 netmask (2.3.12) unstable; urgency=low
 
   * Include patches directly in source because it's a native package 
diff -Nru netmask-2.3.12/debian/control netmask-2.3.12+deb8u1/debian/control
--- netmask-2.3.12/debian/control       2010-04-26 04:29:39.000000000 +0200
+++ netmask-2.3.12+deb8u1/debian/control        2019-02-06 01:08:09.000000000 
+0100
@@ -1,7 +1,7 @@
 Source: netmask
 Section: net
 Priority: optional
-Maintainer: Luis Uribe <a...@eviled.org>
+Maintainer: Guilhem Moulin <guil...@debian.org>
 Build-Depends: debhelper (>= 5), texinfo
 Standards-Version: 3.8.4
 
diff -Nru netmask-2.3.12/errors.c netmask-2.3.12+deb8u1/errors.c
--- netmask-2.3.12/errors.c     2010-04-26 04:29:39.000000000 +0200
+++ netmask-2.3.12+deb8u1/errors.c      2019-02-06 01:04:57.000000000 +0100
@@ -66,7 +66,7 @@
 
     if(!show_status) return(0);
     va_start(args, fmt);
-    vsprintf(buf, fmt, args);
+    vsnprintf(buf, sizeof(buf), fmt, args);
     va_end(args);
     return(message(LOG_DEBUG, buf));
 }
@@ -76,7 +76,7 @@
     va_list args;
 
     va_start(args, fmt);
-    vsprintf(buf, fmt, args);
+    vsnprintf(buf, sizeof(buf), fmt, args);
     va_end(args);
     return(message(LOG_WARNING, buf));
 }
@@ -86,7 +86,7 @@
     va_list args;
 
     va_start(args, fmt);
-    vsprintf(buf, fmt, args);
+    vsnprintf(buf, sizeof(buf), fmt, args);
     va_end(args);
     message(LOG_ERR, buf);
     exit(1);
@@ -97,7 +97,7 @@
 
     /* only handle errno if this is not an informational message */
     if(errno && priority < 5) {
-       sprintf(buf, "%s: %s", msg, strerror(errno));
+       snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(errno));
        errno = 0;
     } else strcpy(buf, msg);
     if(use_syslog) syslog(priority, "%s", buf);

Attachment: signature.asc
Description: PGP signature

Reply via email to