diff options
-rw-r--r-- | debian/changelog | 7 | ||||
-rw-r--r-- | debian/patches/0505-fix_CVE-2020-5208.patch | 114 | ||||
-rw-r--r-- | debian/patches/series | 1 |
3 files changed, 122 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index be5b777..ffc6202 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +ipmitool (1.8.18-11) UNRELEASED; urgency=medium + + * Fix CVE-2020-5208 (Closes: #950761): + - New debian/patches/0505-fix_CVE-2020-5208.patch. + + -- Jörg Frings-Fürst <debian@jff.email> Sun, 03 Jan 2021 08:58:50 +0100 + ipmitool (1.8.18-10) unstable; urgency=medium * Add "Restrictions: superficial" to debian/tests/control (Closes: #969834). diff --git a/debian/patches/0505-fix_CVE-2020-5208.patch b/debian/patches/0505-fix_CVE-2020-5208.patch new file mode 100644 index 0000000..5b76b32 --- /dev/null +++ b/debian/patches/0505-fix_CVE-2020-5208.patch @@ -0,0 +1,114 @@ +Description: Fix CVE-2020-5208 +Origin: backport from https://github.com/ipmitool/ipmitool/commit/7ccea283dd62a05a320c1921e3d8d71a87772637 +Bug: https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950761 +Forwarded: not-needed +Last-Update: 2021-01-03 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: trunk/lib/ipmi_fru.c +=================================================================== +--- trunk.orig/lib/ipmi_fru.c ++++ trunk/lib/ipmi_fru.c +@@ -615,7 +615,10 @@ int + read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + uint32_t offset, uint32_t length, uint8_t *frubuf) + { +- uint32_t off = offset, tmp, finish; ++ uint32_t off = offset; ++ uint32_t tmp; ++ uint32_t finish; ++ uint32_t size_left_in_buffer; + struct ipmi_rs * rsp; + struct ipmi_rq req; + uint8_t msg_data[4]; +@@ -628,10 +631,12 @@ read_fru_area(struct ipmi_intf * intf, s + + finish = offset + length; + if (finish > fru->size) { ++ memset(frubuf + fru->size, 0, length - fru->size); + finish = fru->size; + lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " + "Adjusting to %d", + offset + length, finish - offset); ++ length = finish - offset; + } + + memset(&req, 0, sizeof(req)); +@@ -667,6 +672,7 @@ read_fru_area(struct ipmi_intf * intf, s + } + } + ++ size_left_in_buffer = length; + do { + tmp = fru->access ? off >> 1 : off; + msg_data[0] = id; +@@ -707,9 +713,18 @@ read_fru_area(struct ipmi_intf * intf, s + } + + tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; ++ if(rsp->data_len < 1 ++ || tmp > rsp->data_len - 1 ++ || tmp > size_left_in_buffer) ++ { ++ printf(" Not enough buffer size"); ++ return -1; ++ } ++ + memcpy(frubuf, rsp->data + 1, tmp); + off += tmp; + frubuf += tmp; ++ size_left_in_buffer -= tmp; + /* sometimes the size returned in the Info command + * is too large. return 0 so higher level function + * still attempts to parse what was returned */ +@@ -742,7 +757,9 @@ read_fru_area_section(struct ipmi_intf * + uint32_t offset, uint32_t length, uint8_t *frubuf) + { + static uint32_t fru_data_rqst_size = 20; +- uint32_t off = offset, tmp, finish; ++ uint32_t off = offset; ++ uint32_t tmp, finish; ++ uint32_t size_left_in_buffer; + struct ipmi_rs * rsp; + struct ipmi_rq req; + uint8_t msg_data[4]; +@@ -755,10 +772,12 @@ read_fru_area_section(struct ipmi_intf * + + finish = offset + length; + if (finish > fru->size) { ++ memset(frubuf + fru->size, 0, length - fru->size); + finish = fru->size; + lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " + "Adjusting to %d", + offset + length, finish - offset); ++ length = finish - offset; + } + + memset(&req, 0, sizeof(req)); +@@ -773,6 +792,8 @@ read_fru_area_section(struct ipmi_intf * + if (fru->access && fru_data_rqst_size > 16) + #endif + fru_data_rqst_size = 16; ++ ++ size_left_in_buffer = length; + do { + tmp = fru->access ? off >> 1 : off; + msg_data[0] = id; +@@ -804,8 +825,16 @@ read_fru_area_section(struct ipmi_intf * + } + + tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; ++ if(rsp->data_len < 1 ++ || tmp > rsp->data_len - 1 ++ || tmp > size_left_in_buffer) ++ { ++ printf(" Not enough buffer size"); ++ return -1; ++ } + memcpy((frubuf + off)-offset, rsp->data + 1, tmp); + off += tmp; ++ size_left_in_buffer -= tmp; + + /* sometimes the size returned in the Info command + * is too large. return 0 so higher level function diff --git a/debian/patches/series b/debian/patches/series index 3c1cb0a..7305f1e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ +0505-fix_CVE-2020-5208.patch 0120-openssl1.1.patch 0100-fix_buf_overflow.patch 0500-fix_CVE-2011-4339.patch |