From mboxrd@z Thu Jan 1 00:00:00 1970 From: Yann E. MORIN Date: Fri, 5 Feb 2021 13:49:05 +0100 Subject: [Buildroot] [PATCH] package/atftp: add security fix for CVE-2020-6097 In-Reply-To: <20210205090101.17220-1-peter@korsgaard.com> References: <20210205090101.17220-1-peter@korsgaard.com> Message-ID: <20210205124905.GU2384@scaer> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: buildroot@busybox.net Peter, All, On 2021-02-05 10:01 +0100, Peter Korsgaard spake thusly: > Fixed the following security issue: > > - CVE-2020-6097: An exploitable denial of service vulnerability exists in > the atftpd daemon functionality of atftp 0.7.git20120829-3.1+b1. A > specially crafted sequence of RRQ-Multicast requests trigger an assert() > call resulting in denial-of-service. An attacker can send a sequence of > malicious packets to trigger this vulnerability. > > For more details, see the report: > https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029 > > Signed-off-by: Peter Korsgaard Applied to master, thanks. Regards, Yann E. MORIN. > --- > ...0004-Fix-for-DoS-issue-CVE-2020-6097.patch | 104 ++++++++++++++++++ > package/atftp/atftp.mk | 3 + > 2 files changed, 107 insertions(+) > create mode 100644 package/atftp/0004-Fix-for-DoS-issue-CVE-2020-6097.patch > > diff --git a/package/atftp/0004-Fix-for-DoS-issue-CVE-2020-6097.patch b/package/atftp/0004-Fix-for-DoS-issue-CVE-2020-6097.patch > new file mode 100644 > index 0000000000..fe59325e57 > --- /dev/null > +++ b/package/atftp/0004-Fix-for-DoS-issue-CVE-2020-6097.patch > @@ -0,0 +1,104 @@ > +From 96409ef3b9ca061f9527cfaafa778105cf15d994 Mon Sep 17 00:00:00 2001 > +From: Peter Kaestle > +Date: Wed, 14 Oct 2020 14:02:41 +0200 > +Subject: [PATCH] Fix for DoS issue CVE-2020-6097 > + > +"sockaddr_print_addr" of tftpd can be triggered remotely to call > +assert(), which will crash the tftpd daemon. See: > +https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029 > + > +"sockaddr_print_addr" originaly had two features: > +1) returning pointer to string of the incoming ip address > +2) checking whether ss_family of the connection is supported > + > +To fix the issue, a separate function "sockaddr_family_supported" is > +used to take care of 2) and "sockaddr_print_addr" returns an error > +message string for unsupported cases when using 1) insert of calling > +assert(). > + > +[Upstream: > + https://sourceforge.net/u/peterkaestle/atftp/ci/96409ef3b9ca061f9527cfaafa778105cf15d994/] > +Signed-off-by: Peter Korsgaard > +--- > + tftp_def.c | 11 ++++++++++- > + tftp_def.h | 1 + > + tftpd.c | 5 +++++ > + tftpd_mtftp.c | 5 +++++ > + 4 files changed, 21 insertions(+), 1 deletion(-) > + > +diff --git a/tftp_def.c b/tftp_def.c > +index d457c2a..428a930 100644 > +--- a/tftp_def.c > ++++ b/tftp_def.c > +@@ -180,6 +180,15 @@ int Gethostbyname(char *addr, struct hostent *host) > + return OK; > + } > + > ++int > ++sockaddr_family_supported(const struct sockaddr_storage *ss) > ++{ > ++ if (ss->ss_family == AF_INET || ss->ss_family == AF_INET6) > ++ return 1; > ++ else > ++ return 0; > ++} > ++ > + char * > + sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len) > + { > +@@ -189,7 +198,7 @@ sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len) > + else if (ss->ss_family == AF_INET6) > + addr = &((const struct sockaddr_in6 *)ss)->sin6_addr; > + else > +- assert(!"sockaddr_print: unsupported address family"); > ++ return "sockaddr_print: unsupported address family"; > + return (char *)inet_ntop(ss->ss_family, addr, buf, len); > + } > + > +diff --git a/tftp_def.h b/tftp_def.h > +index 0841746..458e310 100644 > +--- a/tftp_def.h > ++++ b/tftp_def.h > +@@ -54,6 +54,7 @@ int print_eng(double value, char *string, int size, char *format); > + inline char *Strncpy(char *to, const char *from, size_t size); > + int Gethostbyname(char *addr, struct hostent *host); > + > ++int sockaddr_family_supported(const struct sockaddr_storage *ss); > + char *sockaddr_print_addr(const struct sockaddr_storage *, char *, size_t); > + #define SOCKADDR_PRINT_ADDR_LEN INET6_ADDRSTRLEN > + uint16_t sockaddr_get_port(const struct sockaddr_storage *); > +diff --git a/tftpd.c b/tftpd.c > +index 0b6f6a5..a7561a5 100644 > +--- a/tftpd.c > ++++ b/tftpd.c > +@@ -644,6 +644,11 @@ void *tftpd_receive_request(void *arg) > + } > + > + #ifdef HAVE_WRAP > ++ if (!abort && !sockaddr_family_supported(&data->client_info->client)) > ++ { > ++ logger(LOG_ERR, "Connection from unsupported network address family refused"); > ++ abort = 1; > ++ } > + if (!abort) > + { > + /* Verify the client has access. We don't look for the name but > +diff --git a/tftpd_mtftp.c b/tftpd_mtftp.c > +index d420d10..0032905 100644 > +--- a/tftpd_mtftp.c > ++++ b/tftpd_mtftp.c > +@@ -393,6 +393,11 @@ void *tftpd_mtftp_server(void *arg) > + &data_size, data->data_buffer); > + > + #ifdef HAVE_WRAP > ++ if (!sockaddr_family_supported(&sa)) > ++ { > ++ logger(LOG_ERR, "mtftp: Connection from unsupported network address family refused"); > ++ continue; > ++ } > + /* Verify the client has access. We don't look for the name but > + rely only on the IP address for that. */ > + sockaddr_print_addr(&sa, addr_str, sizeof(addr_str)); > +-- > +2.20.1 > + > diff --git a/package/atftp/atftp.mk b/package/atftp/atftp.mk > index cbe05ba7e0..a4b461fda5 100644 > --- a/package/atftp/atftp.mk > +++ b/package/atftp/atftp.mk > @@ -18,6 +18,9 @@ ATFTP_LIBS = -lpthread > ATFTP_CONF_ENV = LIBS="$(ATFTP_LIBS)" \ > CFLAGS="$(TARGET_CFLAGS) -fgnu89-inline" > > +# 0004-Fix-for-DoS-issue-CVE-2020-6097.patch > +ATFTP_IGNORE_CVES += CVE-2020-6097 > + > ifeq ($(BR2_PACKAGE_READLINE),y) > ATFTP_DEPENDENCIES += readline > ATFTP_CONF_OPTS += --enable-libreadline > -- > 2.20.1 > > _______________________________________________ > buildroot mailing list > buildroot at busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------'