Bug#994946: bullseye-pu: package atftp/0.7.git20120829-3.3

Thu, 23 Sep 2021 09:09:26 -0700 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org

Hi,

I would like to ask for permission to upload a new atftpd 
package 0.7.git20120829-3.3+deb11u1 to fix #994895, buffer
overflow, CVE-2021-41054.

[ Reason ]
Fix a CVE (no DSA)

[ Impact ]
atftpd can be crashed by sending a crafted, but trivial request.

[ Tests ]
I manually tested that the buffer overflow happens in the current 
package and is fixed in the new package.

[ Risks ]
very small

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
The patch checks the length of the options of the request and
throws an error if the buffer is too small.

diff -u atftp-0.7.git20120829/debian/changelog 
atftp-0.7.git20120829/debian/changelog
--- atftp-0.7.git20120829/debian/changelog
+++ atftp-0.7.git20120829/debian/changelog
@@ -1,3 +1,9 @@
+atftp (0.7.git20120829-3.3+deb11u1) bullseye; urgency=medium
+
+  * Fix for CVE-2021-41054 (Closes: #994895)
+
+ -- Andreas B. Mundt <a...@debian.org>  Wed, 22 Sep 2021 21:15:01 +0200
+
 atftp (0.7.git20120829-3.3) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -u atftp-0.7.git20120829/tftpd_file.c atftp-0.7.git20120829/tftpd_file.c
--- atftp-0.7.git20120829/tftpd_file.c
+++ atftp-0.7.git20120829/tftpd_file.c
@@ -183,8 +183,17 @@
      /* blksize options */
      if ((result = opt_get_blksize(data->tftp_options)) > -1)
      {
-          if ((result < 8) || (result > 65464))
+          /*
+           *  If we receive more options, we have to make sure our buffer for
+           *  the OACK is not too small.  Use the string representation of
+           *  the options here for simplicity, which puts us on the save side.
+           *  FIXME: Use independent buffers for OACK and data.
+           */
+          opt_options_to_string(data->tftp_options, string, MAXLEN);
+          if ((result < strlen(string)-2) || (result > 65464))
           {
+               logger(LOG_NOTICE, "options <%s> require roughly a blksize of 
%d for the OACK.",
+                      string, strlen(string)-2);
                tftp_send_error(sockfd, sa, EOPTNEG, data->data_buffer, 
data->data_buffer_size);
                if (data->trace)
                     logger(LOG_DEBUG, "sent ERROR <code: %d, msg: %s>", 
EOPTNEG,
@@ -530,8 +539,17 @@
      /* blksize options */
      if ((result = opt_get_blksize(data->tftp_options)) > -1)
      {
-          if ((result < 8) || (result > 65464))
+          /*
+           *  If we receive more options, we have to make sure our buffer for
+           *  the OACK is not too small.  Use the string representation of
+           *  the options here for simplicity, which puts us on the save side.
+           *  FIXME: Use independent buffers for OACK and data.
+           */
+          opt_options_to_string(data->tftp_options, string, MAXLEN);
+          if ((result < strlen(string)-2) || (result > 65464))
           {
+               logger(LOG_NOTICE, "options <%s> require roughly a blksize of 
%d for the OACK.",
+                      string, strlen(string)-2);
                tftp_send_error(sockfd, sa, EOPTNEG, data->data_buffer, 
data->data_buffer_size);
                if (data->trace)
                     logger(LOG_DEBUG, "sent ERROR <code: %d, msg: %s>", 
EOPTNEG,

Reply via email to