Bug#1004999: bullseye-pu: package atftp/0.7.git20120829-3.3+deb11u1

Sat, 05 Feb 2022 01:18:26 -0800 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org

[ Reason ]
Fix of CVE-2021-46671 reported in #1004974.

[ Impact ]
Potential information leak under special circumstances.

[ Tests ]
I checked manually that the changes fix the problem.  The version in
testing contains the fix already for a long time and no problems have
been observed.

[ Risks ]
Risks are rather low, as changes are not complicated and in place for
the version in testing since quite some time.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
With the fix applied, options sent to the daemon are better checked
to avoid reading past the end of an array.

[ Other info ]
The same problem exists in buster (I'll open a separate buster-pu).
I am going to upload the fixed version already.

diff -u atftp-0.7.git20120829/debian/changelog 
atftp-0.7.git20120829/debian/changelog
--- atftp-0.7.git20120829/debian/changelog
+++ atftp-0.7.git20120829/debian/changelog
@@ -1,3 +1,9 @@
+atftp (0.7.git20120829-3.3+deb11u2) bullseye; urgency=medium
+
+  * Fix for CVE-2021-46671 (Closes: #1004974)
+
+ -- Andreas B. Mundt <a...@debian.org>  Fri, 04 Feb 2022 18:09:05 +0100
+
 atftp (0.7.git20120829-3.3+deb11u1) bullseye; urgency=medium
 
   * Fix for CVE-2021-41054 (Closes: #994895)
diff -u atftp-0.7.git20120829/options.c atftp-0.7.git20120829/options.c
--- atftp-0.7.git20120829/options.c
+++ atftp-0.7.git20120829/options.c
@@ -43,6 +43,12 @@
      struct tftphdr *tftp_data = (struct tftphdr *)data;
      size_t size = data_size - sizeof(tftp_data->th_opcode);
 
+     /* sanity check - requests always end in a null byte,
+      * check to prevent argz_next from reading past the end of
+      * data, as it doesn't do bounds checks */
+     if (data_size == 0 || data[data_size-1] != '\0')
+          return ERR;
+
      /* read filename */
      entry = argz_next(tftp_data->th_stuff, size, entry);
      if (!entry)
@@ -79,6 +85,12 @@
      struct tftphdr *tftp_data = (struct tftphdr *)data;
      size_t size = data_size - sizeof(tftp_data->th_opcode);
 
+     /* sanity check - options always end in a null byte,
+      * check to prevent argz_next from reading past the end of
+      * data, as it doesn't do bounds checks */
+     if (data_size == 0 || data[data_size-1] != '\0')
+          return ERR;
+
      while ((entry = argz_next(tftp_data->th_stuff, size, entry)))
      {
           tmp = entry;

Reply via email to