From fc092cfa1dbd409310c73eadee93519db8647934 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Sun, 3 Jan 2021 09:23:38 +0100 Subject: New d/p/0505-fix_CVE-2020-5208.patch --- debian/changelog | 7 ++ debian/patches/0505-fix_CVE-2020-5208.patch | 114 ++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 122 insertions(+) create mode 100644 debian/patches/0505-fix_CVE-2020-5208.patch diff --git a/debian/changelog b/debian/changelog index be5b777..ffc6202 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +ipmitool (1.8.18-11) UNRELEASED; urgency=medium + + * Fix CVE-2020-5208 (Closes: #950761): + - New debian/patches/0505-fix_CVE-2020-5208.patch. + + -- Jörg Frings-Fürst Sun, 03 Jan 2021 08:58:50 +0100 + ipmitool (1.8.18-10) unstable; urgency=medium * Add "Restrictions: superficial" to debian/tests/control (Closes: #969834). diff --git a/debian/patches/0505-fix_CVE-2020-5208.patch b/debian/patches/0505-fix_CVE-2020-5208.patch new file mode 100644 index 0000000..5b76b32 --- /dev/null +++ b/debian/patches/0505-fix_CVE-2020-5208.patch @@ -0,0 +1,114 @@ +Description: Fix CVE-2020-5208 +Origin: backport from https://github.com/ipmitool/ipmitool/commit/7ccea283dd62a05a320c1921e3d8d71a87772637 +Bug: https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950761 +Forwarded: not-needed +Last-Update: 2021-01-03 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: trunk/lib/ipmi_fru.c +=================================================================== +--- trunk.orig/lib/ipmi_fru.c ++++ trunk/lib/ipmi_fru.c +@@ -615,7 +615,10 @@ int + read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + uint32_t offset, uint32_t length, uint8_t *frubuf) + { +- uint32_t off = offset, tmp, finish; ++ uint32_t off = offset; ++ uint32_t tmp; ++ uint32_t finish; ++ uint32_t size_left_in_buffer; + struct ipmi_rs * rsp; + struct ipmi_rq req; + uint8_t msg_data[4]; +@@ -628,10 +631,12 @@ read_fru_area(struct ipmi_intf * intf, s + + finish = offset + length; + if (finish > fru->size) { ++ memset(frubuf + fru->size, 0, length - fru->size); + finish = fru->size; + lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " + "Adjusting to %d", + offset + length, finish - offset); ++ length = finish - offset; + } + + memset(&req, 0, sizeof(req)); +@@ -667,6 +672,7 @@ read_fru_area(struct ipmi_intf * intf, s + } + } + ++ size_left_in_buffer = length; + do { + tmp = fru->access ? off >> 1 : off; + msg_data[0] = id; +@@ -707,9 +713,18 @@ read_fru_area(struct ipmi_intf * intf, s + } + + tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; ++ if(rsp->data_len < 1 ++ || tmp > rsp->data_len - 1 ++ || tmp > size_left_in_buffer) ++ { ++ printf(" Not enough buffer size"); ++ return -1; ++ } ++ + memcpy(frubuf, rsp->data + 1, tmp); + off += tmp; + frubuf += tmp; ++ size_left_in_buffer -= tmp; + /* sometimes the size returned in the Info command + * is too large. return 0 so higher level function + * still attempts to parse what was returned */ +@@ -742,7 +757,9 @@ read_fru_area_section(struct ipmi_intf * + uint32_t offset, uint32_t length, uint8_t *frubuf) + { + static uint32_t fru_data_rqst_size = 20; +- uint32_t off = offset, tmp, finish; ++ uint32_t off = offset; ++ uint32_t tmp, finish; ++ uint32_t size_left_in_buffer; + struct ipmi_rs * rsp; + struct ipmi_rq req; + uint8_t msg_data[4]; +@@ -755,10 +772,12 @@ read_fru_area_section(struct ipmi_intf * + + finish = offset + length; + if (finish > fru->size) { ++ memset(frubuf + fru->size, 0, length - fru->size); + finish = fru->size; + lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " + "Adjusting to %d", + offset + length, finish - offset); ++ length = finish - offset; + } + + memset(&req, 0, sizeof(req)); +@@ -773,6 +792,8 @@ read_fru_area_section(struct ipmi_intf * + if (fru->access && fru_data_rqst_size > 16) + #endif + fru_data_rqst_size = 16; ++ ++ size_left_in_buffer = length; + do { + tmp = fru->access ? off >> 1 : off; + msg_data[0] = id; +@@ -804,8 +825,16 @@ read_fru_area_section(struct ipmi_intf * + } + + tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; ++ if(rsp->data_len < 1 ++ || tmp > rsp->data_len - 1 ++ || tmp > size_left_in_buffer) ++ { ++ printf(" Not enough buffer size"); ++ return -1; ++ } + memcpy((frubuf + off)-offset, rsp->data + 1, tmp); + off += tmp; ++ size_left_in_buffer -= tmp; + + /* sometimes the size returned in the Info command + * is too large. return 0 so higher level function diff --git a/debian/patches/series b/debian/patches/series index 3c1cb0a..7305f1e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ +0505-fix_CVE-2020-5208.patch 0120-openssl1.1.patch 0100-fix_buf_overflow.patch 0500-fix_CVE-2011-4339.patch -- cgit v1.2.3 From e6cea535b1acc72a8a6a3257c0a6e2f6dfcba9fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Sun, 3 Jan 2021 09:25:01 +0100 Subject: Remove useless debian/ipmitool.lintian-overrides --- debian/changelog | 1 + debian/ipmitool.lintian-overrides | 4 ---- 2 files changed, 1 insertion(+), 4 deletions(-) delete mode 100644 debian/ipmitool.lintian-overrides diff --git a/debian/changelog b/debian/changelog index ffc6202..36a62fa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,7 @@ ipmitool (1.8.18-11) UNRELEASED; urgency=medium * Fix CVE-2020-5208 (Closes: #950761): - New debian/patches/0505-fix_CVE-2020-5208.patch. + * Remove useless debian/ipmitool.lintian-overrides. -- Jörg Frings-Fürst Sun, 03 Jan 2021 08:58:50 +0100 diff --git a/debian/ipmitool.lintian-overrides b/debian/ipmitool.lintian-overrides deleted file mode 100644 index 00696e1..0000000 --- a/debian/ipmitool.lintian-overrides +++ /dev/null @@ -1,4 +0,0 @@ -# -# see bug #932378 -# -ipmitool: missing-versioned-depends-on-init-system-helpers postinst:23 "update-rc.d defaults-disabled" needs init-system-helpers >= 1.50 -- cgit v1.2.3 From d592a8b7429cf094761e73fce72b457b2d15611f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Sun, 3 Jan 2021 09:26:30 +0100 Subject: Declare compliance with Debian Policy 4.5.1 --- debian/changelog | 1 + debian/control | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 36a62fa..1fa14b6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,7 @@ ipmitool (1.8.18-11) UNRELEASED; urgency=medium * Fix CVE-2020-5208 (Closes: #950761): - New debian/patches/0505-fix_CVE-2020-5208.patch. * Remove useless debian/ipmitool.lintian-overrides. + * Declare compliance with Debian Policy 4.5.1 (No changes needed). -- Jörg Frings-Fürst Sun, 03 Jan 2021 08:58:50 +0100 diff --git a/debian/control b/debian/control index 76b151b..c509c21 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Build-Depends: libfreeipmi-dev [!hurd-i386], libreadline-dev, libssl-dev -Standards-Version: 4.5.0 +Standards-Version: 4.5.1 Rules-Requires-Root: no Vcs-Git: git://jff.email/opt/git/ipmitool.git Vcs-Browser: https://jff.email/cgit/ipmitool.git -- cgit v1.2.3 From 6e211950a4849a1be729876cdb8efd0cb3083b03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Sun, 3 Jan 2021 09:29:28 +0100 Subject: Remove useless DEP 8 Smoketest --- debian/changelog | 1 + debian/tests/control | 4 ---- 2 files changed, 1 insertion(+), 4 deletions(-) delete mode 100644 debian/tests/control diff --git a/debian/changelog b/debian/changelog index 1fa14b6..a2eab4a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,7 @@ ipmitool (1.8.18-11) UNRELEASED; urgency=medium - New debian/patches/0505-fix_CVE-2020-5208.patch. * Remove useless debian/ipmitool.lintian-overrides. * Declare compliance with Debian Policy 4.5.1 (No changes needed). + * Remove useless DEP 8 Smoketest. -- Jörg Frings-Fürst Sun, 03 Jan 2021 08:58:50 +0100 diff --git a/debian/tests/control b/debian/tests/control deleted file mode 100644 index d601169..0000000 --- a/debian/tests/control +++ /dev/null @@ -1,4 +0,0 @@ -# smoke test -Test-Command: ipmitool -V -Depends: ipmitool -Restrictions: superficial -- cgit v1.2.3 From b2402345fbef781e1e3e4eeb72226674fb7f4106 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Sun, 3 Jan 2021 09:31:47 +0100 Subject: d/copyright: Add year 2021 to debian/* --- debian/changelog | 2 ++ debian/copyright | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index a2eab4a..d4c22c5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,8 @@ ipmitool (1.8.18-11) UNRELEASED; urgency=medium * Remove useless debian/ipmitool.lintian-overrides. * Declare compliance with Debian Policy 4.5.1 (No changes needed). * Remove useless DEP 8 Smoketest. + * debian/copyright: + - Add year 2021 to debian/*. -- Jörg Frings-Fürst Sun, 03 Jan 2021 08:58:50 +0100 diff --git a/debian/copyright b/debian/copyright index 9f7f630..5e6d315 100644 --- a/debian/copyright +++ b/debian/copyright @@ -34,7 +34,7 @@ Copyright: 2003-2005 Duncan Laurie 2011-2013 Luk Claes 2012 Leo Iannacone 2013 Robie Basak - 2014-2019 Jörg Frings-Fürst + 2014-2021 Jörg Frings-Fürst License: BSD-3-clause License: BSD-3-clause -- cgit v1.2.3 From fed057dbeb8fe779c4148764b32bbab6f4fe8ed7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Sun, 3 Jan 2021 09:38:10 +0100 Subject: d/changelog: Change distribution to unstable, Change date and time --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index d4c22c5..7b0a76a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -ipmitool (1.8.18-11) UNRELEASED; urgency=medium +ipmitool (1.8.18-11) unstable; urgency=medium * Fix CVE-2020-5208 (Closes: #950761): - New debian/patches/0505-fix_CVE-2020-5208.patch. @@ -8,7 +8,7 @@ ipmitool (1.8.18-11) UNRELEASED; urgency=medium * debian/copyright: - Add year 2021 to debian/*. - -- Jörg Frings-Fürst Sun, 03 Jan 2021 08:58:50 +0100 + -- Jörg Frings-Fürst Sun, 03 Jan 2021 09:37:13 +0100 ipmitool (1.8.18-10) unstable; urgency=medium -- cgit v1.2.3 From 7112482cd2bf826578948a2ab00f4e59f01d67ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Sun, 3 Jan 2021 09:57:45 +0100 Subject: Fix #947384 --- debian/changelog | 2 ++ debian/ipmitool.maintscript | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 7b0a76a..6da5f7d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,8 @@ ipmitool (1.8.18-11) unstable; urgency=medium * Remove useless DEP 8 Smoketest. * debian/copyright: - Add year 2021 to debian/*. + * debian/ipmitool.maintscript (Closes: #947384): + - Change prior-version to 1.8.18-11~ -- Jörg Frings-Fürst Sun, 03 Jan 2021 09:37:13 +0100 diff --git a/debian/ipmitool.maintscript b/debian/ipmitool.maintscript index 2a663cf..7761b8a 100644 --- a/debian/ipmitool.maintscript +++ b/debian/ipmitool.maintscript @@ -1 +1 @@ -rm_conffile /etc/default/ipmitool 1.8.18-6~ ipmitool +rm_conffile /etc/default/ipmitool 1.8.18-11~ ipmitool -- cgit v1.2.3 From f2495c3d094414e593fde208816859d14000e2d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Sun, 3 Jan 2021 10:13:59 +0100 Subject: d/changelog: Change date and time --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 6da5f7d..6e89b4f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -10,7 +10,7 @@ ipmitool (1.8.18-11) unstable; urgency=medium * debian/ipmitool.maintscript (Closes: #947384): - Change prior-version to 1.8.18-11~ - -- Jörg Frings-Fürst Sun, 03 Jan 2021 09:37:13 +0100 + -- Jörg Frings-Fürst Sun, 03 Jan 2021 10:13:15 +0100 ipmitool (1.8.18-10) unstable; urgency=medium -- cgit v1.2.3 From 291489a7a30ddd4126ec02fadde3e767991be5e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Sun, 3 Jan 2021 11:01:54 +0100 Subject: new d/TROUBLESHOOTING.Debian to fix if /dev/ipmiX is missing --- debian/TROUBLESHOOTING.Debian | 14 ++++++++++++++ debian/changelog | 4 +++- 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 debian/TROUBLESHOOTING.Debian diff --git a/debian/TROUBLESHOOTING.Debian b/debian/TROUBLESHOOTING.Debian new file mode 100644 index 0000000..6efcea2 --- /dev/null +++ b/debian/TROUBLESHOOTING.Debian @@ -0,0 +1,14 @@ + +1.) Could not open device at /dev/ipmiX + + + +1.) Could not open device at /dev/ipmiX + +If you get this error messages on start ipmievd and you have you have an IPMI Interface you can fix this with: + +- apt install openipmi +- systemctl edit ipmied + and add into teh Unit section + After=openipmi.service + diff --git a/debian/changelog b/debian/changelog index 6e89b4f..ac2b5bb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,7 +8,9 @@ ipmitool (1.8.18-11) unstable; urgency=medium * debian/copyright: - Add year 2021 to debian/*. * debian/ipmitool.maintscript (Closes: #947384): - - Change prior-version to 1.8.18-11~ + - Change prior-version to 1.8.18-11~. + * New debian/TROUBLESHOOTING.Debian (Closes: #950206): + - Add Fix if /dev/ipmiX is missing. -- Jörg Frings-Fürst Sun, 03 Jan 2021 10:13:15 +0100 -- cgit v1.2.3 From 4d82e89d8c48f8a44d71cbfaa6f12bf3f6fa1ac4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Sun, 3 Jan 2021 11:04:52 +0100 Subject: d/changelog: Change date and time --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index ac2b5bb..b390d02 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,7 +12,7 @@ ipmitool (1.8.18-11) unstable; urgency=medium * New debian/TROUBLESHOOTING.Debian (Closes: #950206): - Add Fix if /dev/ipmiX is missing. - -- Jörg Frings-Fürst Sun, 03 Jan 2021 10:13:15 +0100 + -- Jörg Frings-Fürst Sun, 03 Jan 2021 11:03:11 +0100 ipmitool (1.8.18-10) unstable; urgency=medium -- cgit v1.2.3 From 71ae773266e284bbccc10deb4e969284d7c8b7da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Mon, 4 Jan 2021 07:12:30 +0100 Subject: More work on CVE-2020-5208 --- debian/patches/0505-fix_CVE-2020-5208.patch | 187 +++++++++++++++++++++++++++- 1 file changed, 186 insertions(+), 1 deletion(-) diff --git a/debian/patches/0505-fix_CVE-2020-5208.patch b/debian/patches/0505-fix_CVE-2020-5208.patch index 5b76b32..1295180 100644 --- a/debian/patches/0505-fix_CVE-2020-5208.patch +++ b/debian/patches/0505-fix_CVE-2020-5208.patch @@ -1,5 +1,11 @@ Description: Fix CVE-2020-5208 -Origin: backport from https://github.com/ipmitool/ipmitool/commit/7ccea283dd62a05a320c1921e3d8d71a87772637 +Origin: backport from + https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2 + https://github.com/ipmitool/ipmitool/commit/840fb1cbb4fb365cb9797300e3374d4faefcdb10 + https://github.com/ipmitool/ipmitool/commit/41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22 + https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4 + https://github.com/ipmitool/ipmitool/commit/d45572d71e70840e0d4c50bf48218492b79c1a10 + https://github.com/ipmitool/ipmitool/commit/7ccea283dd62a05a320c1921e3d8d71a87772637 Bug: https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950761 Forwarded: not-needed @@ -112,3 +118,182 @@ Index: trunk/lib/ipmi_fru.c /* sometimes the size returned in the Info command * is too large. return 0 so higher level function +@@ -3033,7 +3062,7 @@ ipmi_fru_print(struct ipmi_intf * intf, + return 0; + + memset(desc, 0, sizeof(desc)); +- memcpy(desc, fru->id_string, fru->id_code & 0x01f); ++ memcpy(desc, fru->id_string, __min(fru->id_code & 0x01f, sizeof(desc))); + desc[fru->id_code & 0x01f] = 0; + printf("FRU Device Description : %s (ID %d)\n", desc, fru->device_id); + +Index: trunk/lib/ipmi_sdr.c +=================================================================== +--- trunk.orig/lib/ipmi_sdr.c ++++ trunk/lib/ipmi_sdr.c +@@ -2084,7 +2084,7 @@ ipmi_sdr_print_sensor_eventonly(struct i + return -1; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (sensor->id_code & 0x1f) + 1, "%s", sensor->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (sensor->id_code & 0x1f) + 1, sensor->id_string); + + if (verbose) { + printf("Sensor ID : %s (0x%x)\n", +@@ -2135,7 +2135,7 @@ ipmi_sdr_print_sensor_mc_locator(struct + return -1; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (mc->id_code & 0x1f) + 1, "%s", mc->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (mc->id_code & 0x1f) + 1, mc->id_string); + + if (verbose == 0) { + if (csv_output) +@@ -2228,7 +2228,7 @@ ipmi_sdr_print_sensor_generic_locator(st + char desc[17]; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (dev->id_code & 0x1f) + 1, "%s", dev->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (dev->id_code & 0x1f) + 1, dev->id_string); + + if (!verbose) { + if (csv_output) +@@ -2285,7 +2285,7 @@ ipmi_sdr_print_sensor_fru_locator(struct + char desc[17]; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (fru->id_code & 0x1f) + 1, "%s", fru->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (fru->id_code & 0x1f) + 1, fru->id_string); + + if (!verbose) { + if (csv_output) +@@ -2489,35 +2489,43 @@ ipmi_sdr_print_name_from_rawentry(struct + + int rc =0; + char desc[17]; ++ const char *id_string; ++ uint8_t id_code; + memset(desc, ' ', sizeof (desc)); + + switch ( type) { + case SDR_RECORD_TYPE_FULL_SENSOR: + record.full = (struct sdr_record_full_sensor *) raw; +- snprintf(desc, (record.full->id_code & 0x1f) +1, "%s", +- (const char *)record.full->id_string); ++ id_code = record.full->id_code; ++ id_string = record.full->id_string; + break; ++ + case SDR_RECORD_TYPE_COMPACT_SENSOR: + record.compact = (struct sdr_record_compact_sensor *) raw ; +- snprintf(desc, (record.compact->id_code & 0x1f) +1, "%s", +- (const char *)record.compact->id_string); ++ id_code = record.compact->id_code; ++ id_string = record.compact->id_string; + break; ++ + case SDR_RECORD_TYPE_EVENTONLY_SENSOR: + record.eventonly = (struct sdr_record_eventonly_sensor *) raw ; +- snprintf(desc, (record.eventonly->id_code & 0x1f) +1, "%s", +- (const char *)record.eventonly->id_string); +- break; ++ id_code = record.eventonly->id_code; ++ id_string = record.eventonly->id_string; ++ break; ++ + case SDR_RECORD_TYPE_MC_DEVICE_LOCATOR: + record.mcloc = (struct sdr_record_mc_locator *) raw ; +- snprintf(desc, (record.mcloc->id_code & 0x1f) +1, "%s", +- (const char *)record.mcloc->id_string); ++ id_code = record.mcloc->id_code; ++ id_string = record.mcloc->id_string; + break; ++ + default: + rc = -1; +- break; +- } ++ } ++ if (!rc) { ++ snprintf(desc, sizeof(desc), "%.*s", (id_code & 0x1f) + 1, id_string); ++ } + +- lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); ++ lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); + return rc; + } + +Index: trunk/lib/ipmi_channel.c +=================================================================== +--- trunk.orig/lib/ipmi_channel.c ++++ trunk/lib/ipmi_channel.c +@@ -378,7 +378,10 @@ ipmi_get_channel_cipher_suites(struct ip + lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); + return -1; + } +- if (rsp->ccode > 0) { ++ if (rsp->ccode ++ || rsp->data_len < 1 ++ || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN) ++ { + lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", + val2str(rsp->ccode, completion_code_vals)); + return -1; +Index: trunk/lib/ipmi_session.c +=================================================================== +--- trunk.orig/lib/ipmi_session.c ++++ trunk/lib/ipmi_session.c +@@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf + } + else + { +- memcpy(&session_info, rsp->data, rsp->data_len); +- print_session_info(&session_info, rsp->data_len); ++ memcpy(&session_info, rsp->data, ++ __min(rsp->data_len, sizeof(session_info))); ++ print_session_info(&session_info, ++ __min(rsp->data_len, sizeof(session_info))); + } + break; + +@@ -341,9 +343,10 @@ ipmi_get_session_info(struct ipmi_intf + break; + } + +- memcpy(&session_info, rsp->data, rsp->data_len); +- print_session_info(&session_info, rsp->data_len); +- ++ memcpy(&session_info, rsp->data, ++ __min(rsp->data_len, sizeof(session_info))); ++ print_session_info(&session_info, ++ __min(rsp->data_len, sizeof(session_info))); + } while (i <= session_info.session_slot_count); + break; + } +Index: trunk/lib/dimm_spd.c +=================================================================== +--- trunk.orig/lib/dimm_spd.c ++++ trunk/lib/dimm_spd.c +@@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * in + struct ipmi_rq req; + struct fru_info fru; + uint8_t *spd_data, msg_data[4]; +- int len, offset; ++ uint32_t len, offset; + + msg_data[0] = id; + +@@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * in + } + + len = rsp->data[0]; ++ if(rsp->data_len < 1 ++ || len > rsp->data_len - 1 ++ || len > fru.size - offset) ++ { ++ printf(" Not enough buffer size"); ++ return -1; ++ } + memcpy(&spd_data[offset], rsp->data + 1, len); + offset += len; + } while (offset < fru.size); -- cgit v1.2.3 From 9b4a0960bc824081746318c5e6a2eb2d2f80435a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Sun, 22 Aug 2021 20:48:25 +0200 Subject: Add NMU 1.8.18-10.1 --- debian/changelog | 17 ++- ...208_1_Fix_buffer_overflow_vulnerabilities.patch | 120 ++++++++++++++++++ ...Fix-buffer-overflow-in-ipmi_spd_print_fru.patch | 48 ++++++++ ...-buffer-overflow-in-ipmi_get_session_info.patch | 48 ++++++++ ...E-2020-5208_4-channel-Fix-buffer-overflow.patch | 37 ++++++ ...-buffer-overflows-in-get_lan_param_select.patch | 85 +++++++++++++ ..._6-fru-sdr-Fix-id_string-buffer-overflows.patch | 134 +++++++++++++++++++++ debian/patches/series | 8 +- 8 files changed, 494 insertions(+), 3 deletions(-) create mode 100644 debian/patches/CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch create mode 100644 debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch create mode 100644 debian/patches/CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch create mode 100644 debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch create mode 100644 debian/patches/CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch create mode 100644 debian/patches/CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch diff --git a/debian/changelog b/debian/changelog index b390d02..65c4ad7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,5 @@ ipmitool (1.8.18-11) unstable; urgency=medium - * Fix CVE-2020-5208 (Closes: #950761): - - New debian/patches/0505-fix_CVE-2020-5208.patch. * Remove useless debian/ipmitool.lintian-overrides. * Declare compliance with Debian Policy 4.5.1 (No changes needed). * Remove useless DEP 8 Smoketest. @@ -14,6 +12,21 @@ ipmitool (1.8.18-11) unstable; urgency=medium -- Jörg Frings-Fürst Sun, 03 Jan 2021 11:03:11 +0100 +ipmitool (1.8.18-10.1) unstable; urgency=high + + * Non-maintainer upload. + * CVE-2020-5208: buffer overflows and potentially to remote code execution. + Applied upstream patches: + - CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch + - CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch + - CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch + - CVE-2020-5208_4-channel-Fix-buffer-overflow.patch + - CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch + - CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch + (Closes: #950761). + + -- Thomas Goirand Fri, 19 Feb 2021 11:04:17 +0100 + ipmitool (1.8.18-10) unstable; urgency=medium * Add "Restrictions: superficial" to debian/tests/control (Closes: #969834). diff --git a/debian/patches/CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch b/debian/patches/CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch new file mode 100644 index 0000000..1c3029d --- /dev/null +++ b/debian/patches/CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch @@ -0,0 +1,120 @@ +Description: fru: Fix buffer overflow vulnerabilities + Partial fix for CVE-2020-5208, see + https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp + . + The `read_fru_area_section` function only performs size validation of + requested read size, and falsely assumes that the IPMI message will not + respond with more than the requested amount of data; it uses the + unvalidated response size to copy into `frubuf`. If the response is + larger than the request, this can result in overflowing the buffer. + . + The same issue affects the `read_fru_area` function. +Author: Chrostoper Ertl +Date: Thu, 28 Nov 2019 16:33:59 +0000 + +Index: ipmitool-1.8.18/lib/ipmi_fru.c +=================================================================== +--- ipmitool-1.8.18.orig/lib/ipmi_fru.c ++++ ipmitool-1.8.18/lib/ipmi_fru.c +@@ -615,7 +615,10 @@ int + read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + uint32_t offset, uint32_t length, uint8_t *frubuf) + { +- uint32_t off = offset, tmp, finish; ++ uint32_t off = offset; ++ uint32_t tmp; ++ uint32_t finish; ++ uint32_t size_left_in_buffer; + struct ipmi_rs * rsp; + struct ipmi_rq req; + uint8_t msg_data[4]; +@@ -628,10 +631,12 @@ read_fru_area(struct ipmi_intf * intf, s + + finish = offset + length; + if (finish > fru->size) { ++ memset(frubuf + fru->size, 0, length - fru->size); + finish = fru->size; + lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " + "Adjusting to %d", + offset + length, finish - offset); ++ length = finish - offset; + } + + memset(&req, 0, sizeof(req)); +@@ -667,6 +672,7 @@ read_fru_area(struct ipmi_intf * intf, s + } + } + ++ size_left_in_buffer = length; + do { + tmp = fru->access ? off >> 1 : off; + msg_data[0] = id; +@@ -707,9 +713,18 @@ read_fru_area(struct ipmi_intf * intf, s + } + + tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; ++ if(rsp->data_len < 1 ++ || tmp > rsp->data_len - 1 ++ || tmp > size_left_in_buffer) ++ { ++ printf(" Not enough buffer size"); ++ return -1; ++ } ++ + memcpy(frubuf, rsp->data + 1, tmp); + off += tmp; + frubuf += tmp; ++ size_left_in_buffer -= tmp; + /* sometimes the size returned in the Info command + * is too large. return 0 so higher level function + * still attempts to parse what was returned */ +@@ -742,7 +757,9 @@ read_fru_area_section(struct ipmi_intf * + uint32_t offset, uint32_t length, uint8_t *frubuf) + { + static uint32_t fru_data_rqst_size = 20; +- uint32_t off = offset, tmp, finish; ++ uint32_t off = offset; ++ uint32_t tmp, finish; ++ uint32_t size_left_in_buffer; + struct ipmi_rs * rsp; + struct ipmi_rq req; + uint8_t msg_data[4]; +@@ -755,10 +772,12 @@ read_fru_area_section(struct ipmi_intf * + + finish = offset + length; + if (finish > fru->size) { ++ memset(frubuf + fru->size, 0, length - fru->size); + finish = fru->size; + lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " + "Adjusting to %d", + offset + length, finish - offset); ++ length = finish - offset; + } + + memset(&req, 0, sizeof(req)); +@@ -773,6 +792,8 @@ read_fru_area_section(struct ipmi_intf * + if (fru->access && fru_data_rqst_size > 16) + #endif + fru_data_rqst_size = 16; ++ ++ size_left_in_buffer = length; + do { + tmp = fru->access ? off >> 1 : off; + msg_data[0] = id; +@@ -804,8 +825,16 @@ read_fru_area_section(struct ipmi_intf * + } + + tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; ++ if(rsp->data_len < 1 ++ || tmp > rsp->data_len - 1 ++ || tmp > size_left_in_buffer) ++ { ++ printf(" Not enough buffer size"); ++ return -1; ++ } + memcpy((frubuf + off)-offset, rsp->data + 1, tmp); + off += tmp; ++ size_left_in_buffer -= tmp; + + /* sometimes the size returned in the Info command + * is too large. return 0 so higher level function diff --git a/debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch b/debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch new file mode 100644 index 0000000..efa2381 --- /dev/null +++ b/debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch @@ -0,0 +1,48 @@ +From 840fb1cbb4fb365cb9797300e3374d4faefcdb10 Mon Sep 17 00:00:00 2001 +From: Chrostoper Ertl +Date: Thu, 28 Nov 2019 16:44:18 +0000 +Subject: [PATCH 2/6] fru: Fix buffer overflow in ipmi_spd_print_fru + +Partial fix for CVE-2020-5208, see +https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp + +The `ipmi_spd_print_fru` function has a similar issue as the one fixed +by the previous commit in `read_fru_area_section`. An initial request is +made to get the `fru.size`, which is used as the size for the allocation +of `spd_data`. Inside a loop, further requests are performed to get the +copy sizes which are not checked before being used as the size for a +copy into the buffer. +--- + lib/dimm_spd.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c +index 163a2c2..d559cb4 100644 +--- a/lib/dimm_spd.c ++++ b/lib/dimm_spd.c +@@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id) + struct ipmi_rq req; + struct fru_info fru; + uint8_t *spd_data, msg_data[4]; +- int len, offset; ++ uint32_t len, offset; + + msg_data[0] = id; + +@@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id) + } + + len = rsp->data[0]; ++ if(rsp->data_len < 1 ++ || len > rsp->data_len - 1 ++ || len > fru.size - offset) ++ { ++ printf(" Not enough buffer size"); ++ return -1; ++ } + memcpy(&spd_data[offset], rsp->data + 1, len); + offset += len; + } while (offset < fru.size); +-- +2.20.1 + diff --git a/debian/patches/CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch b/debian/patches/CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch new file mode 100644 index 0000000..df07c96 --- /dev/null +++ b/debian/patches/CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch @@ -0,0 +1,48 @@ +From 41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22 Mon Sep 17 00:00:00 2001 +From: Chrostoper Ertl +Date: Thu, 28 Nov 2019 16:51:49 +0000 +Subject: [PATCH 3/6] session: Fix buffer overflow in ipmi_get_session_info + +Partial fix for CVE-2020-5208, see +https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp + +The `ipmi_get_session_info` function does not properly check the +response `data_len`, which is used as a copy size, allowing stack buffer +overflow. +--- + lib/ipmi_session.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/lib/ipmi_session.c b/lib/ipmi_session.c +index ecf4afc..b282d6d 100644 +--- a/lib/ipmi_session.c ++++ b/lib/ipmi_session.c +@@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf * intf, + } + else + { +- memcpy(&session_info, rsp->data, rsp->data_len); +- print_session_info(&session_info, rsp->data_len); ++ memcpy(&session_info, rsp->data, ++ __min(rsp->data_len, sizeof(session_info))); ++ print_session_info(&session_info, ++ __min(rsp->data_len, sizeof(session_info))); + } + break; + +@@ -341,8 +343,10 @@ ipmi_get_session_info(struct ipmi_intf * intf, + break; + } + +- memcpy(&session_info, rsp->data, rsp->data_len); +- print_session_info(&session_info, rsp->data_len); ++ memcpy(&session_info, rsp->data, ++ __min(rsp->data_len, sizeof(session_info))); ++ print_session_info(&session_info, ++ __min(rsp->data_len, sizeof(session_info))); + + } while (i <= session_info.session_slot_count); + break; +-- +2.20.1 + diff --git a/debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch b/debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch new file mode 100644 index 0000000..cae9ddd --- /dev/null +++ b/debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch @@ -0,0 +1,37 @@ +Subject: [PATCH 4/6] channel: Fix buffer overflow + Partial fix for CVE-2020-5208, see + https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp + . + The `ipmi_get_channel_cipher_suites` function does not properly check + the final response’s `data_len`, which can lead to stack buffer overflow + on the final copy. + From 9452be87181a6e83cfcc768b3ed8321763db50e4 Mon Sep 17 00:00:00 2001 +From: Chrostoper Ertl +Date: Thu, 28 Nov 2019 16:56:38 +0000 +Last-Update: 2021-02-08 + +--- ipmitool-1.8.18.orig/lib/ipmi_channel.c ++++ ipmitool-1.8.18/lib/ipmi_channel.c +@@ -413,7 +413,10 @@ ipmi_get_channel_cipher_suites(struct ip + lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); + return -1; + } +- if (rsp->ccode > 0) { ++ if (rsp->ccode ++ || rsp->data_len < 1 ++ || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN) ++ { + lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", + val2str(rsp->ccode, completion_code_vals)); + return -1; +--- a/include/ipmitool/ipmi_channel.h 2016-05-29 21:46:53.000000000 +0200 ++++ b/include/ipmitool/ipmi_channel.h 2021-02-08 23:45:10.598535426 +0100 +@@ -77,6 +77,8 @@ + uint8_t user_level_auth; + }; + ++#define MAX_CIPHER_SUITE_DATA_LEN 0x10 ++ + /* + * The Get Authentication Capabilities response structure + * From table 22-15 of the IPMI v2.0 spec diff --git a/debian/patches/CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch b/debian/patches/CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch new file mode 100644 index 0000000..9c10aeb --- /dev/null +++ b/debian/patches/CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch @@ -0,0 +1,85 @@ +From d45572d71e70840e0d4c50bf48218492b79c1a10 Mon Sep 17 00:00:00 2001 +From: Chrostoper Ertl +Date: Thu, 28 Nov 2019 17:06:39 +0000 +Subject: [PATCH 5/6] lanp: Fix buffer overflows in get_lan_param_select +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Partial fix for CVE-2020-5208, see +https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp + +The `get_lan_param_select` function is missing a validation check on the +response’s `data_len`, which it then returns to caller functions, where +stack buffer overflow can occur. +--- + lib/ipmi_lanp.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +Index: ipmitool-1.8.18/lib/ipmi_lanp.c +=================================================================== +--- ipmitool-1.8.18.orig/lib/ipmi_lanp.c ++++ ipmitool-1.8.18/lib/ipmi_lanp.c +@@ -1809,7 +1809,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + /* set new ipaddr */ + memcpy(data+3, temp, 4); + printf("Setting LAN Alert %d IP Address to %d.%d.%d.%d\n", alert, +@@ -1824,7 +1824,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + /* set new macaddr */ + memcpy(data+7, temp, 6); + printf("Setting LAN Alert %d MAC Address to " +@@ -1838,7 +1838,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + + if (strncasecmp(argv[1], "def", 3) == 0 || + strncasecmp(argv[1], "default", 7) == 0) { +@@ -1864,7 +1864,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + + if (strncasecmp(argv[1], "on", 2) == 0 || + strncasecmp(argv[1], "yes", 3) == 0) { +@@ -1889,7 +1889,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + + if (strncasecmp(argv[1], "pet", 3) == 0) { + printf("Setting LAN Alert %d destination to PET Trap\n", alert); +@@ -1917,7 +1917,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + + if (str2uchar(argv[1], &data[2]) != 0) { + lprintf(LOG_ERR, "Invalid time: %s", argv[1]); +@@ -1933,7 +1933,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + + if (str2uchar(argv[1], &data[3]) != 0) { + lprintf(LOG_ERR, "Invalid retry: %s", argv[1]); diff --git a/debian/patches/CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch b/debian/patches/CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch new file mode 100644 index 0000000..03451ed --- /dev/null +++ b/debian/patches/CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch @@ -0,0 +1,134 @@ +From 7ccea283dd62a05a320c1921e3d8d71a87772637 Mon Sep 17 00:00:00 2001 +From: Chrostoper Ertl +Date: Thu, 28 Nov 2019 17:13:45 +0000 +Subject: [PATCH 6/6] fru, sdr: Fix id_string buffer overflows + +Final part of the fixes for CVE-2020-5208, see +https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp + +9 variants of stack buffer overflow when parsing `id_string` field of +SDR records returned from `CMD_GET_SDR` command. + +SDR record structs have an `id_code` field, and an `id_string` `char` +array. + +The length of `id_string` is calculated as `(id_code & 0x1f) + 1`, +which can be larger than expected 16 characters (if `id_code = 0xff`, +then length will be `(0xff & 0x1f) + 1 = 32`). + +In numerous places, this can cause stack buffer overflow when copying +into fixed buffer of size `17` bytes from this calculated length. +--- + lib/ipmi_fru.c | 2 +- + lib/ipmi_sdr.c | 40 ++++++++++++++++++++++++---------------- + 2 files changed, 25 insertions(+), 17 deletions(-) + +Index: ipmitool-1.8.18/lib/ipmi_fru.c +=================================================================== +--- ipmitool-1.8.18.orig/lib/ipmi_fru.c ++++ ipmitool-1.8.18/lib/ipmi_fru.c +@@ -3062,7 +3062,7 @@ ipmi_fru_print(struct ipmi_intf * intf, + return 0; + + memset(desc, 0, sizeof(desc)); +- memcpy(desc, fru->id_string, fru->id_code & 0x01f); ++ memcpy(desc, fru->id_string, __min(fru->id_code & 0x01f, sizeof(desc))); + desc[fru->id_code & 0x01f] = 0; + printf("FRU Device Description : %s (ID %d)\n", desc, fru->device_id); + +Index: ipmitool-1.8.18/lib/ipmi_sdr.c +=================================================================== +--- ipmitool-1.8.18.orig/lib/ipmi_sdr.c ++++ ipmitool-1.8.18/lib/ipmi_sdr.c +@@ -2084,7 +2084,7 @@ ipmi_sdr_print_sensor_eventonly(struct i + return -1; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (sensor->id_code & 0x1f) + 1, "%s", sensor->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (sensor->id_code & 0x1f) + 1, sensor->id_string); + + if (verbose) { + printf("Sensor ID : %s (0x%x)\n", +@@ -2135,7 +2135,7 @@ ipmi_sdr_print_sensor_mc_locator(struct + return -1; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (mc->id_code & 0x1f) + 1, "%s", mc->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (mc->id_code & 0x1f) + 1, mc->id_string); + + if (verbose == 0) { + if (csv_output) +@@ -2228,7 +2228,7 @@ ipmi_sdr_print_sensor_generic_locator(st + char desc[17]; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (dev->id_code & 0x1f) + 1, "%s", dev->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (dev->id_code & 0x1f) + 1, dev->id_string); + + if (!verbose) { + if (csv_output) +@@ -2285,7 +2285,7 @@ ipmi_sdr_print_sensor_fru_locator(struct + char desc[17]; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (fru->id_code & 0x1f) + 1, "%s", fru->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (fru->id_code & 0x1f) + 1, fru->id_string); + + if (!verbose) { + if (csv_output) +@@ -2489,35 +2489,43 @@ ipmi_sdr_print_name_from_rawentry(struct + + int rc =0; + char desc[17]; ++ const char *id_string; ++ uint8_t id_code; + memset(desc, ' ', sizeof (desc)); + + switch ( type) { + case SDR_RECORD_TYPE_FULL_SENSOR: + record.full = (struct sdr_record_full_sensor *) raw; +- snprintf(desc, (record.full->id_code & 0x1f) +1, "%s", +- (const char *)record.full->id_string); ++ id_code = record.full->id_code; ++ id_string = record.full->id_string; + break; ++ + case SDR_RECORD_TYPE_COMPACT_SENSOR: + record.compact = (struct sdr_record_compact_sensor *) raw ; +- snprintf(desc, (record.compact->id_code & 0x1f) +1, "%s", +- (const char *)record.compact->id_string); ++ id_code = record.compact->id_code; ++ id_string = record.compact->id_string; + break; ++ + case SDR_RECORD_TYPE_EVENTONLY_SENSOR: + record.eventonly = (struct sdr_record_eventonly_sensor *) raw ; +- snprintf(desc, (record.eventonly->id_code & 0x1f) +1, "%s", +- (const char *)record.eventonly->id_string); +- break; ++ id_code = record.eventonly->id_code; ++ id_string = record.eventonly->id_string; ++ break; ++ + case SDR_RECORD_TYPE_MC_DEVICE_LOCATOR: + record.mcloc = (struct sdr_record_mc_locator *) raw ; +- snprintf(desc, (record.mcloc->id_code & 0x1f) +1, "%s", +- (const char *)record.mcloc->id_string); ++ id_code = record.mcloc->id_code; ++ id_string = record.mcloc->id_string; + break; ++ + default: + rc = -1; +- break; +- } ++ } ++ if (!rc) { ++ snprintf(desc, sizeof(desc), "%.*s", (id_code & 0x1f) + 1, id_string); ++ } + +- lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); ++ lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); + return rc; + } + diff --git a/debian/patches/series b/debian/patches/series index 7305f1e..771ac8f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,4 +1,4 @@ -0505-fix_CVE-2020-5208.patch +#0505-fix_CVE-2020-5208.patch 0120-openssl1.1.patch 0100-fix_buf_overflow.patch 0500-fix_CVE-2011-4339.patch @@ -10,3 +10,9 @@ 0130-Correct_lanplus_segment_violation.patch 0005-gcc10.patch 0010-utf8.patch +CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch +CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch +CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch +CVE-2020-5208_4-channel-Fix-buffer-overflow.patch +CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch +CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch -- cgit v1.2.3 From 83304d2d486ddbc85d99ad03137095eaab3a23f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Sun, 22 Aug 2021 20:50:03 +0200 Subject: Declare compliance with Debian Policy 4.6.0.0 --- debian/changelog | 4 ++-- debian/control | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index 65c4ad7..815b373 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,7 @@ ipmitool (1.8.18-11) unstable; urgency=medium * Remove useless debian/ipmitool.lintian-overrides. - * Declare compliance with Debian Policy 4.5.1 (No changes needed). + * Declare compliance with Debian Policy 4.6.0.0 (No changes needed). * Remove useless DEP 8 Smoketest. * debian/copyright: - Add year 2021 to debian/*. @@ -10,7 +10,7 @@ ipmitool (1.8.18-11) unstable; urgency=medium * New debian/TROUBLESHOOTING.Debian (Closes: #950206): - Add Fix if /dev/ipmiX is missing. - -- Jörg Frings-Fürst Sun, 03 Jan 2021 11:03:11 +0100 + -- Jörg Frings-Fürst Sun, 22 Aug 2021 20:49:31 +0200 ipmitool (1.8.18-10.1) unstable; urgency=high diff --git a/debian/control b/debian/control index c509c21..06e676a 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Build-Depends: libfreeipmi-dev [!hurd-i386], libreadline-dev, libssl-dev -Standards-Version: 4.5.1 +Standards-Version: 4.6.0.0 Rules-Requires-Root: no Vcs-Git: git://jff.email/opt/git/ipmitool.git Vcs-Browser: https://jff.email/cgit/ipmitool.git -- cgit v1.2.3 From 8b63e36ac19d89fd3eff396514a5612f4b2df870 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Sun, 22 Aug 2021 21:08:12 +0200 Subject: Rewrite for #950206 --- debian/TROUBLESHOOTING.Debian | 14 -------------- debian/changelog | 4 ++-- debian/systemd/ipmitool.ipmievd.service | 1 + 3 files changed, 3 insertions(+), 16 deletions(-) delete mode 100644 debian/TROUBLESHOOTING.Debian diff --git a/debian/TROUBLESHOOTING.Debian b/debian/TROUBLESHOOTING.Debian deleted file mode 100644 index 6efcea2..0000000 --- a/debian/TROUBLESHOOTING.Debian +++ /dev/null @@ -1,14 +0,0 @@ - -1.) Could not open device at /dev/ipmiX - - - -1.) Could not open device at /dev/ipmiX - -If you get this error messages on start ipmievd and you have you have an IPMI Interface you can fix this with: - -- apt install openipmi -- systemctl edit ipmied - and add into teh Unit section - After=openipmi.service - diff --git a/debian/changelog b/debian/changelog index 815b373..845f485 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,8 +7,8 @@ ipmitool (1.8.18-11) unstable; urgency=medium - Add year 2021 to debian/*. * debian/ipmitool.maintscript (Closes: #947384): - Change prior-version to 1.8.18-11~. - * New debian/TROUBLESHOOTING.Debian (Closes: #950206): - - Add Fix if /dev/ipmiX is missing. + * debian/systemd/ipmitool.ipmievd.service: + - Add After=openipmi.service (Closes: #950206). -- Jörg Frings-Fürst Sun, 22 Aug 2021 20:49:31 +0200 diff --git a/debian/systemd/ipmitool.ipmievd.service b/debian/systemd/ipmitool.ipmievd.service index fdae14f..db30b27 100644 --- a/debian/systemd/ipmitool.ipmievd.service +++ b/debian/systemd/ipmitool.ipmievd.service @@ -1,5 +1,6 @@ [Unit] Description=IPMI event daemon +After=openipmi.service [Service] Type=forking -- cgit v1.2.3 From 4c21e0e4d421d20d7bf5550f8bff0230645960e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Mon, 23 Aug 2021 07:37:51 +0200 Subject: Change Date/time --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 845f485..c08965e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -10,7 +10,7 @@ ipmitool (1.8.18-11) unstable; urgency=medium * debian/systemd/ipmitool.ipmievd.service: - Add After=openipmi.service (Closes: #950206). - -- Jörg Frings-Fürst Sun, 22 Aug 2021 20:49:31 +0200 + -- Jörg Frings-Fürst Sun, 22 Aug 2021 21:15:52 +0200 ipmitool (1.8.18-10.1) unstable; urgency=high -- cgit v1.2.3