summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/changelog7
-rw-r--r--debian/patches/0505-fix_CVE-2020-5208.patch114
-rw-r--r--debian/patches/series1
3 files changed, 122 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index be5b777..ffc6202 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ipmitool (1.8.18-11) UNRELEASED; urgency=medium
+
+ * Fix CVE-2020-5208 (Closes: #950761):
+ - New debian/patches/0505-fix_CVE-2020-5208.patch.
+
+ -- Jörg Frings-Fürst <debian@jff.email> Sun, 03 Jan 2021 08:58:50 +0100
+
ipmitool (1.8.18-10) unstable; urgency=medium
* Add "Restrictions: superficial" to debian/tests/control (Closes: #969834).
diff --git a/debian/patches/0505-fix_CVE-2020-5208.patch b/debian/patches/0505-fix_CVE-2020-5208.patch
new file mode 100644
index 0000000..5b76b32
--- /dev/null
+++ b/debian/patches/0505-fix_CVE-2020-5208.patch
@@ -0,0 +1,114 @@
+Description: Fix CVE-2020-5208
+Origin: backport from https://github.com/ipmitool/ipmitool/commit/7ccea283dd62a05a320c1921e3d8d71a87772637
+Bug: https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950761
+Forwarded: not-needed
+Last-Update: 2021-01-03
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: trunk/lib/ipmi_fru.c
+===================================================================
+--- trunk.orig/lib/ipmi_fru.c
++++ trunk/lib/ipmi_fru.c
+@@ -615,7 +615,10 @@ int
+ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ uint32_t offset, uint32_t length, uint8_t *frubuf)
+ {
+- uint32_t off = offset, tmp, finish;
++ uint32_t off = offset;
++ uint32_t tmp;
++ uint32_t finish;
++ uint32_t size_left_in_buffer;
+ struct ipmi_rs * rsp;
+ struct ipmi_rq req;
+ uint8_t msg_data[4];
+@@ -628,10 +631,12 @@ read_fru_area(struct ipmi_intf * intf, s
+
+ finish = offset + length;
+ if (finish > fru->size) {
++ memset(frubuf + fru->size, 0, length - fru->size);
+ finish = fru->size;
+ lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
+ "Adjusting to %d",
+ offset + length, finish - offset);
++ length = finish - offset;
+ }
+
+ memset(&req, 0, sizeof(req));
+@@ -667,6 +672,7 @@ read_fru_area(struct ipmi_intf * intf, s
+ }
+ }
+
++ size_left_in_buffer = length;
+ do {
+ tmp = fru->access ? off >> 1 : off;
+ msg_data[0] = id;
+@@ -707,9 +713,18 @@ read_fru_area(struct ipmi_intf * intf, s
+ }
+
+ tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
++ if(rsp->data_len < 1
++ || tmp > rsp->data_len - 1
++ || tmp > size_left_in_buffer)
++ {
++ printf(" Not enough buffer size");
++ return -1;
++ }
++
+ memcpy(frubuf, rsp->data + 1, tmp);
+ off += tmp;
+ frubuf += tmp;
++ size_left_in_buffer -= tmp;
+ /* sometimes the size returned in the Info command
+ * is too large. return 0 so higher level function
+ * still attempts to parse what was returned */
+@@ -742,7 +757,9 @@ read_fru_area_section(struct ipmi_intf *
+ uint32_t offset, uint32_t length, uint8_t *frubuf)
+ {
+ static uint32_t fru_data_rqst_size = 20;
+- uint32_t off = offset, tmp, finish;
++ uint32_t off = offset;
++ uint32_t tmp, finish;
++ uint32_t size_left_in_buffer;
+ struct ipmi_rs * rsp;
+ struct ipmi_rq req;
+ uint8_t msg_data[4];
+@@ -755,10 +772,12 @@ read_fru_area_section(struct ipmi_intf *
+
+ finish = offset + length;
+ if (finish > fru->size) {
++ memset(frubuf + fru->size, 0, length - fru->size);
+ finish = fru->size;
+ lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
+ "Adjusting to %d",
+ offset + length, finish - offset);
++ length = finish - offset;
+ }
+
+ memset(&req, 0, sizeof(req));
+@@ -773,6 +792,8 @@ read_fru_area_section(struct ipmi_intf *
+ if (fru->access && fru_data_rqst_size > 16)
+ #endif
+ fru_data_rqst_size = 16;
++
++ size_left_in_buffer = length;
+ do {
+ tmp = fru->access ? off >> 1 : off;
+ msg_data[0] = id;
+@@ -804,8 +825,16 @@ read_fru_area_section(struct ipmi_intf *
+ }
+
+ tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
++ if(rsp->data_len < 1
++ || tmp > rsp->data_len - 1
++ || tmp > size_left_in_buffer)
++ {
++ printf(" Not enough buffer size");
++ return -1;
++ }
+ memcpy((frubuf + off)-offset, rsp->data + 1, tmp);
+ off += tmp;
++ size_left_in_buffer -= tmp;
+
+ /* sometimes the size returned in the Info command
+ * is too large. return 0 so higher level function
diff --git a/debian/patches/series b/debian/patches/series
index 3c1cb0a..7305f1e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
+0505-fix_CVE-2020-5208.patch
0120-openssl1.1.patch
0100-fix_buf_overflow.patch
0500-fix_CVE-2011-4339.patch