diff options
Diffstat (limited to 'debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch')
-rw-r--r-- | debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch b/debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch new file mode 100644 index 0000000..cae9ddd --- /dev/null +++ b/debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch @@ -0,0 +1,37 @@ +Subject: [PATCH 4/6] channel: Fix buffer overflow + Partial fix for CVE-2020-5208, see + https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp + . + The `ipmi_get_channel_cipher_suites` function does not properly check + the final response’s `data_len`, which can lead to stack buffer overflow + on the final copy. + From 9452be87181a6e83cfcc768b3ed8321763db50e4 Mon Sep 17 00:00:00 2001 +From: Chrostoper Ertl <chertl@microsoft.com> +Date: Thu, 28 Nov 2019 16:56:38 +0000 +Last-Update: 2021-02-08 + +--- ipmitool-1.8.18.orig/lib/ipmi_channel.c ++++ ipmitool-1.8.18/lib/ipmi_channel.c +@@ -413,7 +413,10 @@ ipmi_get_channel_cipher_suites(struct ip + lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); + return -1; + } +- if (rsp->ccode > 0) { ++ if (rsp->ccode ++ || rsp->data_len < 1 ++ || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN) ++ { + lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", + val2str(rsp->ccode, completion_code_vals)); + return -1; +--- a/include/ipmitool/ipmi_channel.h 2016-05-29 21:46:53.000000000 +0200 ++++ b/include/ipmitool/ipmi_channel.h 2021-02-08 23:45:10.598535426 +0100 +@@ -77,6 +77,8 @@ + uint8_t user_level_auth; + }; + ++#define MAX_CIPHER_SUITE_DATA_LEN 0x10 ++ + /* + * The Get Authentication Capabilities response structure + * From table 22-15 of the IPMI v2.0 spec |