Accepting request 843270 from home:pmonrealgonzalez:branches:network

- Security fix: [bsc#1176437, CVE-2020-6097] * A specially crafted sequence of RRQ-Multicast requests can trigger an assert() call resulting denial-of-service. - Add atftp-CVE-2020-6097.patch OBS-URL: https://build.opensuse.org/request/show/843270 OBS-URL: https://build.opensuse.org/package/show/network/atftp?expand=0&rev=44
2020-10-25 17:44:03 +00:00
parent afc6e74777
commit fa4c7b8743
3 changed files with 111 additions and 0 deletions
--- a/atftp-CVE-2020-6097.patch
+++ b/atftp-CVE-2020-6097.patch
@@ -0,0 +1,100 @@
+From 96409ef3b9ca061f9527cfaafa778105cf15d994 Mon Sep 17 00:00:00 2001
+From: Peter Kaestle <peter.kaestle@nokia.com>
+Date: Wed, 14 Oct 2020 14:02:41 +0200
+Subject: [PATCH] Fix for DoS issue CVE-2020-6097
+
+"sockaddr_print_addr" of tftpd can be triggered remotely to call
+assert(), which will crash the tftpd daemon.  See:
+https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029
+
+"sockaddr_print_addr" originaly had two features:
+1) returning pointer to string of the incoming ip address
+2) checking whether ss_family of the connection is supported
+
+To fix the issue, a separate function "sockaddr_family_supported" is
+used to take care of 2) and "sockaddr_print_addr" returns an error
+message string for unsupported cases when using 1) insert of calling
+assert().
+---
+ tftp_def.c    | 11 ++++++++++-
+ tftp_def.h    |  1 +
+ tftpd.c       |  5 +++++
+ tftpd_mtftp.c |  5 +++++
+ 4 files changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/tftp_def.c b/tftp_def.c
+index d457c2a..428a930 100644
+--- a/tftp_def.c
+++ b/tftp_def.c
+@@ -180,6 +180,15 @@ int Gethostbyname(char *addr, struct hostent *host)
+      return OK;
+ }
+ 
+int
+sockaddr_family_supported(const struct sockaddr_storage *ss)
+{
+     if (ss->ss_family == AF_INET || ss->ss_family == AF_INET6)
+          return 1;
+     else
+          return 0;
+}
+
+ char *
+ sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len)
+ {
+@@ -189,7 +198,7 @@ sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len)
+      else if (ss->ss_family == AF_INET6)
+           addr = &((const struct sockaddr_in6 *)ss)->sin6_addr;
+      else
+-          assert(!"sockaddr_print: unsupported address family");
+          return "sockaddr_print: unsupported address family";
+      return (char *)inet_ntop(ss->ss_family, addr, buf, len);
+ }
+ 
+diff --git a/tftp_def.h b/tftp_def.h
+index 0841746..458e310 100644
+--- a/tftp_def.h
+++ b/tftp_def.h
+@@ -54,6 +54,7 @@ int print_eng(double value, char *string, int size, char *format);
+ inline char *Strncpy(char *to, const char *from, size_t size);
+ int Gethostbyname(char *addr, struct hostent *host);
+ 
+int sockaddr_family_supported(const struct sockaddr_storage *ss);
+ char *sockaddr_print_addr(const struct sockaddr_storage *, char *, size_t);
+ #define SOCKADDR_PRINT_ADDR_LEN INET6_ADDRSTRLEN
+ uint16_t sockaddr_get_port(const struct sockaddr_storage *);
+diff --git a/tftpd.c b/tftpd.c
+index 0b6f6a5..a7561a5 100644
+--- a/tftpd.c
+++ b/tftpd.c
+@@ -644,6 +644,11 @@ void *tftpd_receive_request(void *arg)
+      }
+ 
+ #ifdef HAVE_WRAP
+     if (!abort && !sockaddr_family_supported(&data->client_info->client))
+     {
+          logger(LOG_ERR, "Connection from unsupported network address family refused");
+          abort = 1;
+     }
+      if (!abort)
+      {
+           /* Verify the client has access. We don't look for the name but
+diff --git a/tftpd_mtftp.c b/tftpd_mtftp.c
+index d420d10..0032905 100644
+--- a/tftpd_mtftp.c
+++ b/tftpd_mtftp.c
+@@ -393,6 +393,11 @@ void *tftpd_mtftp_server(void *arg)
+                                         &data_size, data->data_buffer);
+ 
+ #ifdef HAVE_WRAP
+               if (!sockaddr_family_supported(&sa))
+               {
+                    logger(LOG_ERR, "mtftp: Connection from unsupported network address family refused");
+                    continue;
+               }
+                /* Verify the client has access. We don't look for the name but
+                   rely only on the IP address for that. */
+                sockaddr_print_addr(&sa, addr_str, sizeof(addr_str));
+-- 
+2.28.0
+
--- a/atftp.changes
+++ b/atftp.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Oct 21 18:19:51 UTC 2020 - Pedro Monreal <pmonreal@suse.com>
+
+- Security fix: [bsc#1176437, CVE-2020-6097]
+  * A specially crafted sequence of RRQ-Multicast requests can
+    trigger an assert() call resulting denial-of-service.
+- Add atftp-CVE-2020-6097.patch
+
 -------------------------------------------------------------------
 Sat Apr 25 13:16:41 UTC 2020 - chris@computersalat.de

--- a/atftp.spec
+++ b/atftp.spec
@@ -44,6 +44,8 @@ Patch4:         atftp-0.7-default_user_man.patch
 # PATCH-FIX-SUSE update default directory in man (bnc#507011)
 Patch5:         atftp-0.7-default_dir_man.patch
 Patch6:         atftp-drop_privileges_non-daemon.patch
+# PATCH-FIX-UPSTREAM bsc#1176437 CVE-2020-6097 Fix for DoS issue
+Patch7:         atftp-CVE-2020-6097.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  pcre-devel
@@ -76,6 +78,7 @@ boot of hundreds of machines simultaneously.
 %patch4
 %patch5
 %patch6 -p1
+%patch7 -p1

 %build
 autoreconf -fi