From b5a8534205bc140af7049c301d83f7bee7815686 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Sat, 29 Oct 2022 18:54:30 +0200 Subject: Remove longer not needed patches --- debian/changelog | 1 + debian/patches/0005-gcc10.patch | 63 ----- debian/patches/0110-getpass-prototype.patch | 23 -- debian/patches/0115-typo.patch | 164 ----------- debian/patches/0120-openssl1.1.patch | 150 ----------- debian/patches/0125-nvidia-iana.patch | 36 --- .../0130-Correct_lanplus_segment_violation.patch | 29 -- debian/patches/0500-fix_CVE-2011-4339.patch | 21 -- debian/patches/0505-fix_CVE-2020-5208.patch | 299 --------------------- debian/patches/0600-manpage_longlines.patch | 56 ---- debian/patches/0615-manpage_typo.patch | 49 ---- ...208_1_Fix_buffer_overflow_vulnerabilities.patch | 120 --------- ...Fix-buffer-overflow-in-ipmi_spd_print_fru.patch | 48 ---- ...-buffer-overflow-in-ipmi_get_session_info.patch | 48 ---- ...E-2020-5208_4-channel-Fix-buffer-overflow.patch | 37 --- ...-buffer-overflows-in-get_lan_param_select.patch | 85 ------ ..._6-fru-sdr-Fix-id_string-buffer-overflows.patch | 134 --------- debian/patches/series | 16 -- 18 files changed, 1 insertion(+), 1378 deletions(-) delete mode 100644 debian/patches/0005-gcc10.patch delete mode 100644 debian/patches/0110-getpass-prototype.patch delete mode 100644 debian/patches/0115-typo.patch delete mode 100644 debian/patches/0120-openssl1.1.patch delete mode 100644 debian/patches/0125-nvidia-iana.patch delete mode 100644 debian/patches/0130-Correct_lanplus_segment_violation.patch delete mode 100644 debian/patches/0500-fix_CVE-2011-4339.patch delete mode 100644 debian/patches/0505-fix_CVE-2020-5208.patch delete mode 100644 debian/patches/0600-manpage_longlines.patch delete mode 100644 debian/patches/0615-manpage_typo.patch delete mode 100644 debian/patches/CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch delete mode 100644 debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch delete mode 100644 debian/patches/CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch delete mode 100644 debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch delete mode 100644 debian/patches/CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch delete mode 100644 debian/patches/CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch diff --git a/debian/changelog b/debian/changelog index ef1b8ed..520f742 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,7 @@ ipmitool (1.8.19-1) UNRELEASED; urgency=medium * New upstrem release. - New debian/patches/0700-build.patch. - New debian/patches/0620-manpage_typo.patch. + * Remove longer not needed patches. -- Jörg Frings-Fürst Sat, 10 Sep 2022 15:35:32 +0200 diff --git a/debian/patches/0005-gcc10.patch b/debian/patches/0005-gcc10.patch deleted file mode 100644 index a4e5d8a..0000000 --- a/debian/patches/0005-gcc10.patch +++ /dev/null @@ -1,63 +0,0 @@ -Description: Fix ftbfs with gcc-10 -Author: Jörg Frings-Fürst -Bug: https://github.com/ipmitool/ipmitool/issues/220 -Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=957371 -Last-Update: 2020-07-28 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ -Index: trunk/include/ipmitool/ipmi_hpmfwupg.h -=================================================================== ---- trunk.orig/include/ipmitool/ipmi_hpmfwupg.h -+++ trunk/include/ipmitool/ipmi_hpmfwupg.h -@@ -30,9 +30,22 @@ - * EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. - */ - -+ - #ifndef IPMI_HPMFWUPG_H - #define IPMI_HPMFWUPG_H - -+ -+#ifdef IPMI_HPMFWUPG_MOD -+ -+ #define EXTERN -+ -+#else -+ -+ #define EXTERN extern -+ -+#endif -+ -+ - #include - #include - -@@ -800,10 +813,12 @@ typedef struct _VERSIONINFO { - char descString[HPMFWUPG_DESC_STRING_LENGTH + 1]; - }VERSIONINFO, *PVERSIONINFO; - --VERSIONINFO gVersionInfo[HPMFWUPG_COMPONENT_ID_MAX]; -+EXTERN VERSIONINFO gVersionInfo[HPMFWUPG_COMPONENT_ID_MAX]; - - #define TARGET_VER (0x01) - #define ROLLBACK_VER (0x02) - #define IMAGE_VER (0x04) - - #endif /* IPMI_KFWUM_H */ -+ -+#undef EXTERN -Index: trunk/lib/ipmi_hpmfwupg.c -=================================================================== ---- trunk.orig/lib/ipmi_hpmfwupg.c -+++ trunk/lib/ipmi_hpmfwupg.c -@@ -37,7 +37,10 @@ - - #include - #include -+ -+#define IPMI_HPMFWUPG_MOD - #include -+ - #include - #include - #include diff --git a/debian/patches/0110-getpass-prototype.patch b/debian/patches/0110-getpass-prototype.patch deleted file mode 100644 index ecd8ee9..0000000 --- a/debian/patches/0110-getpass-prototype.patch +++ /dev/null @@ -1,23 +0,0 @@ -Description: use necessary source dialect to ensure getpass() availability - getpass is a deprecated function, and building with either c99 or gnu99 - does not ensure this function's availability. So instead, declare - _DEFAULT_SOURCE so that the function remains available. -Author: Steve Langasek -Origin: , -Bug: -Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819340 -Last-Update: 2016-05-15 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ -Index: trunk/lib/ipmi_main.c -=================================================================== ---- trunk.orig/lib/ipmi_main.c -+++ trunk/lib/ipmi_main.c -@@ -34,6 +34,7 @@ - (_XOPEN_SOURCE >= 500 || \ - _XOPEN_SOURCE && _XOPEN_SOURCE_EXTENDED) && \ - !(_POSIX_C_SOURCE >= 200112L || _XOPEN_SOURCE >= 600) -+#define _DEFAULT_SOURCE - - #include - #include diff --git a/debian/patches/0115-typo.patch b/debian/patches/0115-typo.patch deleted file mode 100644 index e8f762c..0000000 --- a/debian/patches/0115-typo.patch +++ /dev/null @@ -1,164 +0,0 @@ -Description: source typos -Author: Jörg Frings-Fürst -Forwarded: not-needed -Last-Update: 2017-08-13 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ -Index: trunk/lib/dimm_spd.c -=================================================================== ---- trunk.orig/lib/dimm_spd.c -+++ trunk/lib/dimm_spd.c -@@ -798,7 +798,7 @@ const struct valstr jedec_id5_vals[] = { - { 0xE3, "WIS Technologies" }, - { 0x64, "GateChange Technologies" }, - { 0xE5, "High Density Devices AS" }, -- { 0xE6, "Synopsys" }, -+ { 0xE6, "Synopsis" }, - { 0x67, "Gigaram" }, - { 0x68, "Enigma Semiconductor Inc." }, - { 0xE9, "Century Micro Inc." }, -Index: trunk/lib/ipmi_hpmfwupg.c -=================================================================== ---- trunk.orig/lib/ipmi_hpmfwupg.c -+++ trunk/lib/ipmi_hpmfwupg.c -@@ -1507,7 +1507,7 @@ HpmfwupgGetTargetUpgCapabilities(struct - pCtx->resp.GlobalCapabilities.bitField.autRollbackOverride ? 'y' : 'n'); - lprintf(LOG_NOTICE, "IPMC degraded...........[%c] ", - pCtx->resp.GlobalCapabilities.bitField.ipmcDegradedDurinUpg ? 'y' : 'n'); -- lprintf(LOG_NOTICE, "Defered activation......[%c] ", -+ lprintf(LOG_NOTICE, "Deferred activation......[%c] ", - pCtx->resp.GlobalCapabilities.bitField.deferActivation ? 'y' : 'n'); - lprintf(LOG_NOTICE, "Service affected........[%c] ", - pCtx->resp.GlobalCapabilities.bitField.servAffectDuringUpg ? 'y' : 'n'); -Index: trunk/lib/ipmi_kontronoem.c -=================================================================== ---- trunk.orig/lib/ipmi_kontronoem.c -+++ trunk/lib/ipmi_kontronoem.c -@@ -85,7 +85,7 @@ ipmi_kontronoem_main(struct ipmi_intf *i - return (-1); - } - if (ipmi_kontron_set_serial_number(intf) > 0) { -- printf("FRU serial number setted successfully\n"); -+ printf("FRU serial number set successfully\n"); - } else { - printf("FRU serial number set failed\n"); - rc = (-1); -@@ -96,7 +96,7 @@ ipmi_kontronoem_main(struct ipmi_intf *i - return (-1); - } - if (ipmi_kontron_set_mfg_date(intf) > 0) { -- printf("FRU manufacturing date setted successfully\n"); -+ printf("FRU manufacturing date set successfully\n"); - } else { - printf("FRU manufacturing date set failed\n"); - rc = (-1); -Index: trunk/lib/ipmi_ekanalyzer.c -=================================================================== ---- trunk.orig/lib/ipmi_ekanalyzer.c -+++ trunk/lib/ipmi_ekanalyzer.c -@@ -3398,7 +3398,7 @@ ipmi_ek_display_board_p2p_record(struct - printf("ShMC Cross-connect (two-pair)\n"); - break; - default: -- printf("Unknwon\n"); -+ printf("Unknown\n"); - break; - } - } else if (d->type == FRU_PICMGEXT_LINK_TYPE_FABRIC_ETHERNET) { -@@ -3413,17 +3413,17 @@ ipmi_ek_display_board_p2p_record(struct - printf("FC-PI\n"); - break; - default: -- printf("Unknwon\n"); -+ printf("Unknown\n"); - break; - } - } else if (d->type == FRU_PICMGEXT_LINK_TYPE_FABRIC_INFINIBAND) { -- printf("Unknwon\n"); -+ printf("Unknown\n"); - } else if (d->type == FRU_PICMGEXT_LINK_TYPE_FABRIC_STAR) { -- printf("Unknwon\n"); -+ printf("Unknown\n"); - } else if (d->type == FRU_PICMGEXT_LINK_TYPE_PCIE) { -- printf("Unknwon\n"); -+ printf("Unknown\n"); - } else { -- printf("Unknwon\n"); -+ printf("Unknown\n"); - } - printf("\tLink Type:\t\t0x%02x - ", d->type); - if (d->type == 0 || d->type == 0xff) { -Index: trunk/src/ipmievd.c -=================================================================== ---- trunk.orig/src/ipmievd.c -+++ trunk/src/ipmievd.c -@@ -125,7 +125,7 @@ static int openipmi_wait(struct ipmi_eve - static int openipmi_read(struct ipmi_event_intf * eintf); - static struct ipmi_event_intf openipmi_event_intf = { - .name = "open", -- .desc = "OpenIPMI asyncronous notification of events", -+ .desc = "OpenIPMI asynchronous notification of events", - .prefix = "", - .setup = openipmi_setup, - .wait = openipmi_wait, -@@ -864,7 +864,7 @@ ipmievd_open_main(struct ipmi_intf * int - - struct ipmi_cmd ipmievd_cmd_list[] = { - #ifdef IPMI_INTF_OPEN -- { ipmievd_open_main, "open", "Use OpenIPMI for asyncronous notification of events" }, -+ { ipmievd_open_main, "open", "Use OpenIPMI for asynchronous notification of events" }, - #endif - { ipmievd_sel_main, "sel", "Poll SEL for notification of events" }, - { NULL } -Index: trunk/include/ipmitool/ipmi_pef.h -=================================================================== ---- trunk.orig/include/ipmitool/ipmi_pef.h -+++ trunk/include/ipmitool/ipmi_pef.h -@@ -178,7 +178,7 @@ BIT_DESC_MAP_LIST, - {"Entity presence", 37}, - {"Monitor ASIC/IC", 38}, - {"LAN", 39}, -- {"Management subsytem health",40}, -+ {"Management subsystem health",40}, - {"Battery", 41}, - {NULL} - } }; -Index: trunk/doc/ipmievd.8 -=================================================================== ---- trunk.orig/doc/ipmievd.8 -+++ trunk/doc/ipmievd.8 -@@ -145,7 +145,7 @@ placed at the end of commands to get opt - > ipmievd help - .br - Commands: -- open Use OpenIPMI for asyncronous notification of events -+ open Use OpenIPMI for asynchronous notification of events - sel Poll SEL for notification of events - - .TP -Index: trunk/lib/ipmi_lanp.c -=================================================================== ---- trunk.orig/lib/ipmi_lanp.c -+++ trunk/lib/ipmi_lanp.c -@@ -1271,7 +1271,7 @@ print_lan_set_bad_pass_thresh_usage(void - { - lprintf(LOG_NOTICE, - "lan set bad_pass_thresh <1|0> \n" --" Bad Pasword Threshold number.\n" -+" Bad Password Threshold number.\n" - " <1|0> 1 = generate a Session Audit sensor event.\n" - " 0 = do not generate an event.\n" - " Attempt Count Reset Interval. In tens of seconds.\n" -Index: trunk/lib/ipmi_mc.c -=================================================================== ---- trunk.orig/lib/ipmi_mc.c -+++ trunk/lib/ipmi_mc.c -@@ -583,7 +583,7 @@ static int ipmi_mc_get_selftest(struct i - printf(" -> SEL device not accessible\n"); - } - if (sft_res->test & IPM_SELFTEST_SDR_ERROR) { -- printf(" -> SDR repository not accesible\n"); -+ printf(" -> SDR repository not accessible\n"); - } - if (sft_res->test & IPM_SELFTEST_FRU_ERROR) { - printf("FRU device not accessible\n"); diff --git a/debian/patches/0120-openssl1.1.patch b/debian/patches/0120-openssl1.1.patch deleted file mode 100644 index a7523fd..0000000 --- a/debian/patches/0120-openssl1.1.patch +++ /dev/null @@ -1,150 +0,0 @@ -Description: Migrate to openssl 1.1 - Cherry-picked from upstream -Author: Jörg Frings-Fürst -Origin: upstream https://sourceforge.net/p/ipmitool/source/ci/1664902525a1c3771b4d8b3ccab7ea1ba6b2bdd1/ -Bug: https://sourceforge.net/p/ipmitool/bugs/461/ -Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853782 -Forwarded: not-needed -Last-Update: 2017-08-13 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ -Index: trunk/src/plugins/lanplus/lanplus_crypt_impl.c -=================================================================== ---- trunk.orig/src/plugins/lanplus/lanplus_crypt_impl.c -+++ trunk/src/plugins/lanplus/lanplus_crypt_impl.c -@@ -164,11 +164,7 @@ lanplus_encrypt_aes_cbc_128(const uint8_ - uint8_t * output, - uint32_t * bytes_written) - { -- EVP_CIPHER_CTX ctx; -- EVP_CIPHER_CTX_init(&ctx); -- EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key, iv); -- EVP_CIPHER_CTX_set_padding(&ctx, 0); -- -+ EVP_CIPHER_CTX *ctx = NULL; - - *bytes_written = 0; - -@@ -182,6 +178,14 @@ lanplus_encrypt_aes_cbc_128(const uint8_ - printbuf(input, input_length, "encrypting this data"); - } - -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) { -+ lprintf(LOG_DEBUG, "ERROR: EVP_CIPHER_CTX_new() failed"); -+ return; -+ } -+ EVP_CIPHER_CTX_init(ctx); -+ EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv); -+ EVP_CIPHER_CTX_set_padding(ctx, 0); - - /* - * The default implementation adds a whole block of padding if the input -@@ -191,28 +195,28 @@ lanplus_encrypt_aes_cbc_128(const uint8_ - assert((input_length % IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE) == 0); - - -- if(!EVP_EncryptUpdate(&ctx, output, (int *)bytes_written, input, input_length)) -+ if(!EVP_EncryptUpdate(ctx, output, (int *)bytes_written, input, input_length)) - { - /* Error */ - *bytes_written = 0; -- return; - } - else - { - uint32_t tmplen; - -- if(!EVP_EncryptFinal_ex(&ctx, output + *bytes_written, (int *)&tmplen)) -+ if(!EVP_EncryptFinal_ex(ctx, output + *bytes_written, (int *)&tmplen)) - { -+ /* Error */ - *bytes_written = 0; -- return; /* Error */ - } - else - { - /* Success */ - *bytes_written += tmplen; -- EVP_CIPHER_CTX_cleanup(&ctx); - } - } -+ /* performs cleanup and free */ -+ EVP_CIPHER_CTX_free(ctx); - } - - -@@ -239,11 +243,7 @@ lanplus_decrypt_aes_cbc_128(const uint8_ - uint8_t * output, - uint32_t * bytes_written) - { -- EVP_CIPHER_CTX ctx; -- EVP_CIPHER_CTX_init(&ctx); -- EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key, iv); -- EVP_CIPHER_CTX_set_padding(&ctx, 0); -- -+ EVP_CIPHER_CTX *ctx = NULL; - - if (verbose >= 5) - { -@@ -252,12 +252,20 @@ lanplus_decrypt_aes_cbc_128(const uint8_ - printbuf(input, input_length, "decrypting this data"); - } - -- - *bytes_written = 0; - - if (input_length == 0) - return; - -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) { -+ lprintf(LOG_DEBUG, "ERROR: EVP_CIPHER_CTX_new() failed"); -+ return; -+ } -+ EVP_CIPHER_CTX_init(ctx); -+ EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv); -+ EVP_CIPHER_CTX_set_padding(ctx, 0); -+ - /* - * The default implementation adds a whole block of padding if the input - * data is perfectly aligned. We would like to keep that from happening. -@@ -266,33 +274,33 @@ lanplus_decrypt_aes_cbc_128(const uint8_ - assert((input_length % IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE) == 0); - - -- if (!EVP_DecryptUpdate(&ctx, output, (int *)bytes_written, input, input_length)) -+ if (!EVP_DecryptUpdate(ctx, output, (int *)bytes_written, input, input_length)) - { - /* Error */ - lprintf(LOG_DEBUG, "ERROR: decrypt update failed"); - *bytes_written = 0; -- return; - } - else - { - uint32_t tmplen; - -- if (!EVP_DecryptFinal_ex(&ctx, output + *bytes_written, (int *)&tmplen)) -+ if (!EVP_DecryptFinal_ex(ctx, output + *bytes_written, (int *)&tmplen)) - { -+ /* Error */ - char buffer[1000]; - ERR_error_string(ERR_get_error(), buffer); - lprintf(LOG_DEBUG, "the ERR error %s", buffer); - lprintf(LOG_DEBUG, "ERROR: decrypt final failed"); - *bytes_written = 0; -- return; /* Error */ - } - else - { - /* Success */ - *bytes_written += tmplen; -- EVP_CIPHER_CTX_cleanup(&ctx); - } - } -+ /* performs cleanup and free */ -+ EVP_CIPHER_CTX_free(ctx); - - if (verbose >= 5) - { diff --git a/debian/patches/0125-nvidia-iana.patch b/debian/patches/0125-nvidia-iana.patch deleted file mode 100644 index 28276f8..0000000 --- a/debian/patches/0125-nvidia-iana.patch +++ /dev/null @@ -1,36 +0,0 @@ -Description: Add IANA ID for NVIDIA hardware - Add the NVIDIA IANA ID to the hardcoded list used in ipmitool <= 1.8.18. - After upstream commit "9d41136 ID:491 - Fetch vendor IDs from IANA", ipmitool - generates a list of vendor IDs dynamically at build time, so we can drop this - patch in future releases. -Author: dann frazier -Origin: backport -Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903616 -Forwarded: not-needed -Last-Update: 2018-07-11 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ -Index: ipmitool-1.8.18/include/ipmitool/ipmi.h -=================================================================== ---- ipmitool-1.8.18.orig/include/ipmitool/ipmi.h -+++ ipmitool-1.8.18/include/ipmitool/ipmi.h -@@ -279,6 +279,7 @@ typedef enum IPMI_OEM { - /* 4769 for [IBM Corporation] */ - IPMI_OEM_IBM_4769 = 4769, - IPMI_OEM_MAGNUM = 5593, -+ IPMI_OEM_NVIDIA = 5703, - IPMI_OEM_TYAN = 6653, - IPMI_OEM_QUANTA = 7244, - IPMI_OEM_NEWISYS = 9237, -Index: ipmitool-1.8.18/lib/ipmi_strings.c -=================================================================== ---- ipmitool-1.8.18.orig/lib/ipmi_strings.c -+++ ipmitool-1.8.18/lib/ipmi_strings.c -@@ -96,6 +96,7 @@ const struct valstr ipmi_oem_info[] = { - { IPMI_OEM_IBM_4769, "IBM Corporation" }, - { IPMI_OEM_IBM_20301, "IBM eServer X" }, - { IPMI_OEM_ADLINK_24339, "ADLINK Technology Inc." }, -+ { IPMI_OEM_NVIDIA, "NVIDIA Corporation" }, - { 0xffff , NULL }, - }; - diff --git a/debian/patches/0130-Correct_lanplus_segment_violation.patch b/debian/patches/0130-Correct_lanplus_segment_violation.patch deleted file mode 100644 index 17e8fe5..0000000 --- a/debian/patches/0130-Correct_lanplus_segment_violation.patch +++ /dev/null @@ -1,29 +0,0 @@ -Description: Fix lanplus segment violation for truncated response -Origin: upstream, https://github.com/pjdhpe/ipmitool/commit/815aae70cf8dc9f0e1ba1923fc4ec3cc16d0d2f1?diff=unified -Bug: https://github.com/ipmitool/ipmitool/issues/72 -Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945764 -Last-Update: 2019-12-22 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ -Index: trunk/src/plugins/lanplus/lanplus.c -=================================================================== ---- trunk.orig/src/plugins/lanplus/lanplus.c -+++ trunk/src/plugins/lanplus/lanplus.c -@@ -819,7 +819,7 @@ ipmi_lan_poll_single(struct ipmi_intf * - * rsp->data_len becomes the length of that data - */ - extra_data_length = payload_size - (offset - payload_start) - 1; -- if (extra_data_length) { -+ if (extra_data_length > 0) { - rsp->data_len = extra_data_length; - memmove(rsp->data, rsp->data + offset, extra_data_length); - } else { -@@ -873,7 +873,7 @@ ipmi_lan_poll_single(struct ipmi_intf * - } - read_sol_packet(rsp, &offset); - extra_data_length = payload_size - (offset - payload_start); -- if (rsp && extra_data_length) { -+ if (rsp && extra_data_length > 0) { - rsp->data_len = extra_data_length; - memmove(rsp->data, rsp->data + offset, extra_data_length); - } else { diff --git a/debian/patches/0500-fix_CVE-2011-4339.patch b/debian/patches/0500-fix_CVE-2011-4339.patch deleted file mode 100644 index 62a9d0c..0000000 --- a/debian/patches/0500-fix_CVE-2011-4339.patch +++ /dev/null @@ -1,21 +0,0 @@ -Description: CVE-2011-4339 - insecure file permission when creating PID files - based on 112_fix_CVE-2011-4339 -Author: Jörg Frings-Fürst -Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651917 -Forwarded: https://sourceforge.net/p/ipmitool/patches/99/ -Last-Update: 2014-12-01 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ -Index: trunk/lib/helper.c -=================================================================== ---- trunk.orig/lib/helper.c -+++ trunk/lib/helper.c -@@ -829,7 +829,6 @@ ipmi_start_daemon(struct ipmi_intf *intf - #endif - - chdir("/"); -- umask(0); - - for (fd=0; fd<64; fd++) { - if (fd != intf->fd) diff --git a/debian/patches/0505-fix_CVE-2020-5208.patch b/debian/patches/0505-fix_CVE-2020-5208.patch deleted file mode 100644 index 1295180..0000000 --- a/debian/patches/0505-fix_CVE-2020-5208.patch +++ /dev/null @@ -1,299 +0,0 @@ -Description: Fix CVE-2020-5208 -Origin: backport from - https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2 - https://github.com/ipmitool/ipmitool/commit/840fb1cbb4fb365cb9797300e3374d4faefcdb10 - https://github.com/ipmitool/ipmitool/commit/41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22 - https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4 - https://github.com/ipmitool/ipmitool/commit/d45572d71e70840e0d4c50bf48218492b79c1a10 - https://github.com/ipmitool/ipmitool/commit/7ccea283dd62a05a320c1921e3d8d71a87772637 -Bug: https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp -Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950761 -Forwarded: not-needed -Last-Update: 2021-01-03 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ -Index: trunk/lib/ipmi_fru.c -=================================================================== ---- trunk.orig/lib/ipmi_fru.c -+++ trunk/lib/ipmi_fru.c -@@ -615,7 +615,10 @@ int - read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, - uint32_t offset, uint32_t length, uint8_t *frubuf) - { -- uint32_t off = offset, tmp, finish; -+ uint32_t off = offset; -+ uint32_t tmp; -+ uint32_t finish; -+ uint32_t size_left_in_buffer; - struct ipmi_rs * rsp; - struct ipmi_rq req; - uint8_t msg_data[4]; -@@ -628,10 +631,12 @@ read_fru_area(struct ipmi_intf * intf, s - - finish = offset + length; - if (finish > fru->size) { -+ memset(frubuf + fru->size, 0, length - fru->size); - finish = fru->size; - lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " - "Adjusting to %d", - offset + length, finish - offset); -+ length = finish - offset; - } - - memset(&req, 0, sizeof(req)); -@@ -667,6 +672,7 @@ read_fru_area(struct ipmi_intf * intf, s - } - } - -+ size_left_in_buffer = length; - do { - tmp = fru->access ? off >> 1 : off; - msg_data[0] = id; -@@ -707,9 +713,18 @@ read_fru_area(struct ipmi_intf * intf, s - } - - tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; -+ if(rsp->data_len < 1 -+ || tmp > rsp->data_len - 1 -+ || tmp > size_left_in_buffer) -+ { -+ printf(" Not enough buffer size"); -+ return -1; -+ } -+ - memcpy(frubuf, rsp->data + 1, tmp); - off += tmp; - frubuf += tmp; -+ size_left_in_buffer -= tmp; - /* sometimes the size returned in the Info command - * is too large. return 0 so higher level function - * still attempts to parse what was returned */ -@@ -742,7 +757,9 @@ read_fru_area_section(struct ipmi_intf * - uint32_t offset, uint32_t length, uint8_t *frubuf) - { - static uint32_t fru_data_rqst_size = 20; -- uint32_t off = offset, tmp, finish; -+ uint32_t off = offset; -+ uint32_t tmp, finish; -+ uint32_t size_left_in_buffer; - struct ipmi_rs * rsp; - struct ipmi_rq req; - uint8_t msg_data[4]; -@@ -755,10 +772,12 @@ read_fru_area_section(struct ipmi_intf * - - finish = offset + length; - if (finish > fru->size) { -+ memset(frubuf + fru->size, 0, length - fru->size); - finish = fru->size; - lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " - "Adjusting to %d", - offset + length, finish - offset); -+ length = finish - offset; - } - - memset(&req, 0, sizeof(req)); -@@ -773,6 +792,8 @@ read_fru_area_section(struct ipmi_intf * - if (fru->access && fru_data_rqst_size > 16) - #endif - fru_data_rqst_size = 16; -+ -+ size_left_in_buffer = length; - do { - tmp = fru->access ? off >> 1 : off; - msg_data[0] = id; -@@ -804,8 +825,16 @@ read_fru_area_section(struct ipmi_intf * - } - - tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; -+ if(rsp->data_len < 1 -+ || tmp > rsp->data_len - 1 -+ || tmp > size_left_in_buffer) -+ { -+ printf(" Not enough buffer size"); -+ return -1; -+ } - memcpy((frubuf + off)-offset, rsp->data + 1, tmp); - off += tmp; -+ size_left_in_buffer -= tmp; - - /* sometimes the size returned in the Info command - * is too large. return 0 so higher level function -@@ -3033,7 +3062,7 @@ ipmi_fru_print(struct ipmi_intf * intf, - return 0; - - memset(desc, 0, sizeof(desc)); -- memcpy(desc, fru->id_string, fru->id_code & 0x01f); -+ memcpy(desc, fru->id_string, __min(fru->id_code & 0x01f, sizeof(desc))); - desc[fru->id_code & 0x01f] = 0; - printf("FRU Device Description : %s (ID %d)\n", desc, fru->device_id); - -Index: trunk/lib/ipmi_sdr.c -=================================================================== ---- trunk.orig/lib/ipmi_sdr.c -+++ trunk/lib/ipmi_sdr.c -@@ -2084,7 +2084,7 @@ ipmi_sdr_print_sensor_eventonly(struct i - return -1; - - memset(desc, 0, sizeof (desc)); -- snprintf(desc, (sensor->id_code & 0x1f) + 1, "%s", sensor->id_string); -+ snprintf(desc, sizeof(desc), "%.*s", (sensor->id_code & 0x1f) + 1, sensor->id_string); - - if (verbose) { - printf("Sensor ID : %s (0x%x)\n", -@@ -2135,7 +2135,7 @@ ipmi_sdr_print_sensor_mc_locator(struct - return -1; - - memset(desc, 0, sizeof (desc)); -- snprintf(desc, (mc->id_code & 0x1f) + 1, "%s", mc->id_string); -+ snprintf(desc, sizeof(desc), "%.*s", (mc->id_code & 0x1f) + 1, mc->id_string); - - if (verbose == 0) { - if (csv_output) -@@ -2228,7 +2228,7 @@ ipmi_sdr_print_sensor_generic_locator(st - char desc[17]; - - memset(desc, 0, sizeof (desc)); -- snprintf(desc, (dev->id_code & 0x1f) + 1, "%s", dev->id_string); -+ snprintf(desc, sizeof(desc), "%.*s", (dev->id_code & 0x1f) + 1, dev->id_string); - - if (!verbose) { - if (csv_output) -@@ -2285,7 +2285,7 @@ ipmi_sdr_print_sensor_fru_locator(struct - char desc[17]; - - memset(desc, 0, sizeof (desc)); -- snprintf(desc, (fru->id_code & 0x1f) + 1, "%s", fru->id_string); -+ snprintf(desc, sizeof(desc), "%.*s", (fru->id_code & 0x1f) + 1, fru->id_string); - - if (!verbose) { - if (csv_output) -@@ -2489,35 +2489,43 @@ ipmi_sdr_print_name_from_rawentry(struct - - int rc =0; - char desc[17]; -+ const char *id_string; -+ uint8_t id_code; - memset(desc, ' ', sizeof (desc)); - - switch ( type) { - case SDR_RECORD_TYPE_FULL_SENSOR: - record.full = (struct sdr_record_full_sensor *) raw; -- snprintf(desc, (record.full->id_code & 0x1f) +1, "%s", -- (const char *)record.full->id_string); -+ id_code = record.full->id_code; -+ id_string = record.full->id_string; - break; -+ - case SDR_RECORD_TYPE_COMPACT_SENSOR: - record.compact = (struct sdr_record_compact_sensor *) raw ; -- snprintf(desc, (record.compact->id_code & 0x1f) +1, "%s", -- (const char *)record.compact->id_string); -+ id_code = record.compact->id_code; -+ id_string = record.compact->id_string; - break; -+ - case SDR_RECORD_TYPE_EVENTONLY_SENSOR: - record.eventonly = (struct sdr_record_eventonly_sensor *) raw ; -- snprintf(desc, (record.eventonly->id_code & 0x1f) +1, "%s", -- (const char *)record.eventonly->id_string); -- break; -+ id_code = record.eventonly->id_code; -+ id_string = record.eventonly->id_string; -+ break; -+ - case SDR_RECORD_TYPE_MC_DEVICE_LOCATOR: - record.mcloc = (struct sdr_record_mc_locator *) raw ; -- snprintf(desc, (record.mcloc->id_code & 0x1f) +1, "%s", -- (const char *)record.mcloc->id_string); -+ id_code = record.mcloc->id_code; -+ id_string = record.mcloc->id_string; - break; -+ - default: - rc = -1; -- break; -- } -+ } -+ if (!rc) { -+ snprintf(desc, sizeof(desc), "%.*s", (id_code & 0x1f) + 1, id_string); -+ } - -- lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); -+ lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); - return rc; - } - -Index: trunk/lib/ipmi_channel.c -=================================================================== ---- trunk.orig/lib/ipmi_channel.c -+++ trunk/lib/ipmi_channel.c -@@ -378,7 +378,10 @@ ipmi_get_channel_cipher_suites(struct ip - lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); - return -1; - } -- if (rsp->ccode > 0) { -+ if (rsp->ccode -+ || rsp->data_len < 1 -+ || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN) -+ { - lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", - val2str(rsp->ccode, completion_code_vals)); - return -1; -Index: trunk/lib/ipmi_session.c -=================================================================== ---- trunk.orig/lib/ipmi_session.c -+++ trunk/lib/ipmi_session.c -@@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf - } - else - { -- memcpy(&session_info, rsp->data, rsp->data_len); -- print_session_info(&session_info, rsp->data_len); -+ memcpy(&session_info, rsp->data, -+ __min(rsp->data_len, sizeof(session_info))); -+ print_session_info(&session_info, -+ __min(rsp->data_len, sizeof(session_info))); - } - break; - -@@ -341,9 +343,10 @@ ipmi_get_session_info(struct ipmi_intf - break; - } - -- memcpy(&session_info, rsp->data, rsp->data_len); -- print_session_info(&session_info, rsp->data_len); -- -+ memcpy(&session_info, rsp->data, -+ __min(rsp->data_len, sizeof(session_info))); -+ print_session_info(&session_info, -+ __min(rsp->data_len, sizeof(session_info))); - } while (i <= session_info.session_slot_count); - break; - } -Index: trunk/lib/dimm_spd.c -=================================================================== ---- trunk.orig/lib/dimm_spd.c -+++ trunk/lib/dimm_spd.c -@@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * in - struct ipmi_rq req; - struct fru_info fru; - uint8_t *spd_data, msg_data[4]; -- int len, offset; -+ uint32_t len, offset; - - msg_data[0] = id; - -@@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * in - } - - len = rsp->data[0]; -+ if(rsp->data_len < 1 -+ || len > rsp->data_len - 1 -+ || len > fru.size - offset) -+ { -+ printf(" Not enough buffer size"); -+ return -1; -+ } - memcpy(&spd_data[offset], rsp->data + 1, len); - offset += len; - } while (offset < fru.size); diff --git a/debian/patches/0600-manpage_longlines.patch b/debian/patches/0600-manpage_longlines.patch deleted file mode 100644 index 8fae0a9..0000000 --- a/debian/patches/0600-manpage_longlines.patch +++ /dev/null @@ -1,56 +0,0 @@ -Description: long lines in man-page - prevent "can't break line" warnings -Author: Jörg Frings-Fürst -Forwarded: not-needed -Last-Update: 2014-05-20 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ -Index: trunk/doc/ipmitool.1 -=================================================================== ---- trunk.orig/doc/ipmitool.1 -+++ trunk/doc/ipmitool.1 -@@ -1035,7 +1035,7 @@ Display point to point physical connecti - AMC slot B2 topology: - Port 0 =====> On Carrier Device ID 0, Port 3 - Port 2 =====> AMC slot B1, Port 2 -- *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* -+ *-*-*-* *-*-* *-*-* *-*-* *-*-* *-*-* *-*-* - From Carrier file: carrierfru - On Carrier Device ID 0 topology: - Port 0 =====> AMC slot B1, Port 4 -@@ -1091,7 +1091,7 @@ and an AMC module or between 2 AMC modul - \-Link Type: AMC.2 Ethernet - \-Link Type extension: 1000BASE-BX (SerDES Gigabit) Ethernet link - \-Link Group ID: 0 || Link Asym. Match: exact match -- *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* -+ *-*-*-* *-*-* *-*-* *-*-* *-*-* *-*-* *-*-* - AMC slot B1 port 1 ==> On-Carrier Device 0 port 12 - Matching Result - - From On-Carrier Device ID 0 -@@ -1104,7 +1104,7 @@ and an AMC module or between 2 AMC modul - \-Link Type: AMC.2 Ethernet - \-Link Type extension: 1000BASE-BX (SerDES Gigabit) Ethernet link - \-Link Group ID: 0 || Link Asym. Match: exact match -- *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* -+ *-*-*-* *-*-* *-*-* *-*-* *-*-* *-*-* *-*-* - On-Carrier Device vs AMC slot A2 - AMC slot A2 port 0 ==> On-Carrier Device 0 port 3 - Matching Result -@@ -1118,7 +1118,7 @@ and an AMC module or between 2 AMC modul - \-Link Type: AMC.2 Ethernet - \-Link Type extension: 1000BASE-BX (SerDES Gigabit) Ethernet link - \-Link Group ID: 0 || Link Asym. Match: exact match -- *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* -+ *-*-*-* *-*-* *-*-* *-*-* *-*-* *-*-* *-*-* - AMC slot B1 vs AMC slot A2 - AMC slot A2 port 2 ==> AMC slot B1 port 2 - Matching Result -@@ -1132,7 +1132,7 @@ and an AMC module or between 2 AMC modul - \-Link Type: AMC.3 Storage - \-Link Type extension: Serial Attached SCSI (SAS/SATA) - \-Link Group ID: 0 || Link Asym. Match: FC or SAS interface {exact match} -- *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* -+ *-*-*-* *-*-* *-*-* *-*-* *-*-* *-*-* *-*-* - .TP - \fIunmatch\fP <\fBxx=filename\fR> <\fBxx=filename\fR> \fB...\fr - .br diff --git a/debian/patches/0615-manpage_typo.patch b/debian/patches/0615-manpage_typo.patch deleted file mode 100644 index b1196d7..0000000 --- a/debian/patches/0615-manpage_typo.patch +++ /dev/null @@ -1,49 +0,0 @@ -Description: typo in man-pages -Author: Jörg Frings-Fürst -Last-Update: 2019-07-18 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ -Index: trunk/doc/ipmitool.1 -=================================================================== ---- trunk.orig/doc/ipmitool.1 -+++ trunk/doc/ipmitool.1 -@@ -2478,7 +2478,7 @@ Discover Node Manager presence as well a - .br - - Add a new power policy, or overwrite an existing policy. --The \fIcorrection\fP parameter is the agressiveness of frequency limiting, default is auto. -+The \fIcorrection\fP parameter is the aggressiveness of frequency limiting, default is auto. - The \fItrig_lim\fP is the correction time limit and must be at least 6000 and not greater than 65535. - The \fIstats\fP setting is the averaging period in seconds and ranges from 1-65535. - If domain is not supplied a default of platform is used. -@@ -2489,7 +2489,7 @@ If domain is not supplied a default of p - .br - - Add a new inlet temp policy, or overwrite an existing policy. --The \fIcorrection\fP parameter is the agressiveness of frequency limiting, default is auto. -+The \fIcorrection\fP parameter is the aggressiveness of frequency limiting, default is auto. - The \fItrig_lim\fP is the correction time limit and must be at least 6000 and not greater than 65535. - The \fIstats\fP setting is the averaging period in seconds and ranges from 1-65535. - If domain is not supplied a default of platform is used. -@@ -3657,7 +3657,7 @@ and encryption algorithms to use for for - on the cipher suite ID found in the IPMIv2.0 specification in table - 22\-19. The default cipher suite is \fI3\fP which specifies - RAKP\-HMAC\-SHA1 authentication, HMAC\-SHA1\-96 integrity, and AES\-CBC\-128 --encryption algorightms. -+encryption algorithms. - - .SH "FREE INTERFACE" - .LP -Index: trunk/doc/ipmievd.8 -=================================================================== ---- trunk.orig/doc/ipmievd.8 -+++ trunk/doc/ipmievd.8 -@@ -56,7 +56,7 @@ This is not available with all commands. - The remote server authentication, integrity, and encryption algorithms - to use for IPMIv2 \fIlanplus\fP connections. See table 22\-19 in the - IPMIv2 specification. The default is 3 which specifies RAKP\-HMAC\-SHA1 --authentication, HMAC\-SHA1\-96 integrity, and AES\-CBC\-128 encryption algorightms. -+authentication, HMAC\-SHA1\-96 integrity, and AES\-CBC\-128 encryption algorithms. - .TP - \fB\-E\fR - The remote server password is specified by the environment diff --git a/debian/patches/CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch b/debian/patches/CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch deleted file mode 100644 index 1c3029d..0000000 --- a/debian/patches/CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch +++ /dev/null @@ -1,120 +0,0 @@ -Description: fru: Fix buffer overflow vulnerabilities - Partial fix for CVE-2020-5208, see - https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp - . - The `read_fru_area_section` function only performs size validation of - requested read size, and falsely assumes that the IPMI message will not - respond with more than the requested amount of data; it uses the - unvalidated response size to copy into `frubuf`. If the response is - larger than the request, this can result in overflowing the buffer. - . - The same issue affects the `read_fru_area` function. -Author: Chrostoper Ertl -Date: Thu, 28 Nov 2019 16:33:59 +0000 - -Index: ipmitool-1.8.18/lib/ipmi_fru.c -=================================================================== ---- ipmitool-1.8.18.orig/lib/ipmi_fru.c -+++ ipmitool-1.8.18/lib/ipmi_fru.c -@@ -615,7 +615,10 @@ int - read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, - uint32_t offset, uint32_t length, uint8_t *frubuf) - { -- uint32_t off = offset, tmp, finish; -+ uint32_t off = offset; -+ uint32_t tmp; -+ uint32_t finish; -+ uint32_t size_left_in_buffer; - struct ipmi_rs * rsp; - struct ipmi_rq req; - uint8_t msg_data[4]; -@@ -628,10 +631,12 @@ read_fru_area(struct ipmi_intf * intf, s - - finish = offset + length; - if (finish > fru->size) { -+ memset(frubuf + fru->size, 0, length - fru->size); - finish = fru->size; - lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " - "Adjusting to %d", - offset + length, finish - offset); -+ length = finish - offset; - } - - memset(&req, 0, sizeof(req)); -@@ -667,6 +672,7 @@ read_fru_area(struct ipmi_intf * intf, s - } - } - -+ size_left_in_buffer = length; - do { - tmp = fru->access ? off >> 1 : off; - msg_data[0] = id; -@@ -707,9 +713,18 @@ read_fru_area(struct ipmi_intf * intf, s - } - - tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; -+ if(rsp->data_len < 1 -+ || tmp > rsp->data_len - 1 -+ || tmp > size_left_in_buffer) -+ { -+ printf(" Not enough buffer size"); -+ return -1; -+ } -+ - memcpy(frubuf, rsp->data + 1, tmp); - off += tmp; - frubuf += tmp; -+ size_left_in_buffer -= tmp; - /* sometimes the size returned in the Info command - * is too large. return 0 so higher level function - * still attempts to parse what was returned */ -@@ -742,7 +757,9 @@ read_fru_area_section(struct ipmi_intf * - uint32_t offset, uint32_t length, uint8_t *frubuf) - { - static uint32_t fru_data_rqst_size = 20; -- uint32_t off = offset, tmp, finish; -+ uint32_t off = offset; -+ uint32_t tmp, finish; -+ uint32_t size_left_in_buffer; - struct ipmi_rs * rsp; - struct ipmi_rq req; - uint8_t msg_data[4]; -@@ -755,10 +772,12 @@ read_fru_area_section(struct ipmi_intf * - - finish = offset + length; - if (finish > fru->size) { -+ memset(frubuf + fru->size, 0, length - fru->size); - finish = fru->size; - lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " - "Adjusting to %d", - offset + length, finish - offset); -+ length = finish - offset; - } - - memset(&req, 0, sizeof(req)); -@@ -773,6 +792,8 @@ read_fru_area_section(struct ipmi_intf * - if (fru->access && fru_data_rqst_size > 16) - #endif - fru_data_rqst_size = 16; -+ -+ size_left_in_buffer = length; - do { - tmp = fru->access ? off >> 1 : off; - msg_data[0] = id; -@@ -804,8 +825,16 @@ read_fru_area_section(struct ipmi_intf * - } - - tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; -+ if(rsp->data_len < 1 -+ || tmp > rsp->data_len - 1 -+ || tmp > size_left_in_buffer) -+ { -+ printf(" Not enough buffer size"); -+ return -1; -+ } - memcpy((frubuf + off)-offset, rsp->data + 1, tmp); - off += tmp; -+ size_left_in_buffer -= tmp; - - /* sometimes the size returned in the Info command - * is too large. return 0 so higher level function diff --git a/debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch b/debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch deleted file mode 100644 index efa2381..0000000 --- a/debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 840fb1cbb4fb365cb9797300e3374d4faefcdb10 Mon Sep 17 00:00:00 2001 -From: Chrostoper Ertl -Date: Thu, 28 Nov 2019 16:44:18 +0000 -Subject: [PATCH 2/6] fru: Fix buffer overflow in ipmi_spd_print_fru - -Partial fix for CVE-2020-5208, see -https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp - -The `ipmi_spd_print_fru` function has a similar issue as the one fixed -by the previous commit in `read_fru_area_section`. An initial request is -made to get the `fru.size`, which is used as the size for the allocation -of `spd_data`. Inside a loop, further requests are performed to get the -copy sizes which are not checked before being used as the size for a -copy into the buffer. ---- - lib/dimm_spd.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c -index 163a2c2..d559cb4 100644 ---- a/lib/dimm_spd.c -+++ b/lib/dimm_spd.c -@@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id) - struct ipmi_rq req; - struct fru_info fru; - uint8_t *spd_data, msg_data[4]; -- int len, offset; -+ uint32_t len, offset; - - msg_data[0] = id; - -@@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id) - } - - len = rsp->data[0]; -+ if(rsp->data_len < 1 -+ || len > rsp->data_len - 1 -+ || len > fru.size - offset) -+ { -+ printf(" Not enough buffer size"); -+ return -1; -+ } - memcpy(&spd_data[offset], rsp->data + 1, len); - offset += len; - } while (offset < fru.size); --- -2.20.1 - diff --git a/debian/patches/CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch b/debian/patches/CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch deleted file mode 100644 index df07c96..0000000 --- a/debian/patches/CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22 Mon Sep 17 00:00:00 2001 -From: Chrostoper Ertl -Date: Thu, 28 Nov 2019 16:51:49 +0000 -Subject: [PATCH 3/6] session: Fix buffer overflow in ipmi_get_session_info - -Partial fix for CVE-2020-5208, see -https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp - -The `ipmi_get_session_info` function does not properly check the -response `data_len`, which is used as a copy size, allowing stack buffer -overflow. ---- - lib/ipmi_session.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/lib/ipmi_session.c b/lib/ipmi_session.c -index ecf4afc..b282d6d 100644 ---- a/lib/ipmi_session.c -+++ b/lib/ipmi_session.c -@@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf * intf, - } - else - { -- memcpy(&session_info, rsp->data, rsp->data_len); -- print_session_info(&session_info, rsp->data_len); -+ memcpy(&session_info, rsp->data, -+ __min(rsp->data_len, sizeof(session_info))); -+ print_session_info(&session_info, -+ __min(rsp->data_len, sizeof(session_info))); - } - break; - -@@ -341,8 +343,10 @@ ipmi_get_session_info(struct ipmi_intf * intf, - break; - } - -- memcpy(&session_info, rsp->data, rsp->data_len); -- print_session_info(&session_info, rsp->data_len); -+ memcpy(&session_info, rsp->data, -+ __min(rsp->data_len, sizeof(session_info))); -+ print_session_info(&session_info, -+ __min(rsp->data_len, sizeof(session_info))); - - } while (i <= session_info.session_slot_count); - break; --- -2.20.1 - diff --git a/debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch b/debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch deleted file mode 100644 index cae9ddd..0000000 --- a/debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch +++ /dev/null @@ -1,37 +0,0 @@ -Subject: [PATCH 4/6] channel: Fix buffer overflow - Partial fix for CVE-2020-5208, see - https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp - . - The `ipmi_get_channel_cipher_suites` function does not properly check - the final response’s `data_len`, which can lead to stack buffer overflow - on the final copy. - From 9452be87181a6e83cfcc768b3ed8321763db50e4 Mon Sep 17 00:00:00 2001 -From: Chrostoper Ertl -Date: Thu, 28 Nov 2019 16:56:38 +0000 -Last-Update: 2021-02-08 - ---- ipmitool-1.8.18.orig/lib/ipmi_channel.c -+++ ipmitool-1.8.18/lib/ipmi_channel.c -@@ -413,7 +413,10 @@ ipmi_get_channel_cipher_suites(struct ip - lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); - return -1; - } -- if (rsp->ccode > 0) { -+ if (rsp->ccode -+ || rsp->data_len < 1 -+ || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN) -+ { - lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", - val2str(rsp->ccode, completion_code_vals)); - return -1; ---- a/include/ipmitool/ipmi_channel.h 2016-05-29 21:46:53.000000000 +0200 -+++ b/include/ipmitool/ipmi_channel.h 2021-02-08 23:45:10.598535426 +0100 -@@ -77,6 +77,8 @@ - uint8_t user_level_auth; - }; - -+#define MAX_CIPHER_SUITE_DATA_LEN 0x10 -+ - /* - * The Get Authentication Capabilities response structure - * From table 22-15 of the IPMI v2.0 spec diff --git a/debian/patches/CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch b/debian/patches/CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch deleted file mode 100644 index 9c10aeb..0000000 --- a/debian/patches/CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch +++ /dev/null @@ -1,85 +0,0 @@ -From d45572d71e70840e0d4c50bf48218492b79c1a10 Mon Sep 17 00:00:00 2001 -From: Chrostoper Ertl -Date: Thu, 28 Nov 2019 17:06:39 +0000 -Subject: [PATCH 5/6] lanp: Fix buffer overflows in get_lan_param_select -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Partial fix for CVE-2020-5208, see -https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp - -The `get_lan_param_select` function is missing a validation check on the -response’s `data_len`, which it then returns to caller functions, where -stack buffer overflow can occur. ---- - lib/ipmi_lanp.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -Index: ipmitool-1.8.18/lib/ipmi_lanp.c -=================================================================== ---- ipmitool-1.8.18.orig/lib/ipmi_lanp.c -+++ ipmitool-1.8.18/lib/ipmi_lanp.c -@@ -1809,7 +1809,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - /* set new ipaddr */ - memcpy(data+3, temp, 4); - printf("Setting LAN Alert %d IP Address to %d.%d.%d.%d\n", alert, -@@ -1824,7 +1824,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - /* set new macaddr */ - memcpy(data+7, temp, 6); - printf("Setting LAN Alert %d MAC Address to " -@@ -1838,7 +1838,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - - if (strncasecmp(argv[1], "def", 3) == 0 || - strncasecmp(argv[1], "default", 7) == 0) { -@@ -1864,7 +1864,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - - if (strncasecmp(argv[1], "on", 2) == 0 || - strncasecmp(argv[1], "yes", 3) == 0) { -@@ -1889,7 +1889,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - - if (strncasecmp(argv[1], "pet", 3) == 0) { - printf("Setting LAN Alert %d destination to PET Trap\n", alert); -@@ -1917,7 +1917,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - - if (str2uchar(argv[1], &data[2]) != 0) { - lprintf(LOG_ERR, "Invalid time: %s", argv[1]); -@@ -1933,7 +1933,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - - if (str2uchar(argv[1], &data[3]) != 0) { - lprintf(LOG_ERR, "Invalid retry: %s", argv[1]); diff --git a/debian/patches/CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch b/debian/patches/CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch deleted file mode 100644 index 03451ed..0000000 --- a/debian/patches/CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 7ccea283dd62a05a320c1921e3d8d71a87772637 Mon Sep 17 00:00:00 2001 -From: Chrostoper Ertl -Date: Thu, 28 Nov 2019 17:13:45 +0000 -Subject: [PATCH 6/6] fru, sdr: Fix id_string buffer overflows - -Final part of the fixes for CVE-2020-5208, see -https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp - -9 variants of stack buffer overflow when parsing `id_string` field of -SDR records returned from `CMD_GET_SDR` command. - -SDR record structs have an `id_code` field, and an `id_string` `char` -array. - -The length of `id_string` is calculated as `(id_code & 0x1f) + 1`, -which can be larger than expected 16 characters (if `id_code = 0xff`, -then length will be `(0xff & 0x1f) + 1 = 32`). - -In numerous places, this can cause stack buffer overflow when copying -into fixed buffer of size `17` bytes from this calculated length. ---- - lib/ipmi_fru.c | 2 +- - lib/ipmi_sdr.c | 40 ++++++++++++++++++++++++---------------- - 2 files changed, 25 insertions(+), 17 deletions(-) - -Index: ipmitool-1.8.18/lib/ipmi_fru.c -=================================================================== ---- ipmitool-1.8.18.orig/lib/ipmi_fru.c -+++ ipmitool-1.8.18/lib/ipmi_fru.c -@@ -3062,7 +3062,7 @@ ipmi_fru_print(struct ipmi_intf * intf, - return 0; - - memset(desc, 0, sizeof(desc)); -- memcpy(desc, fru->id_string, fru->id_code & 0x01f); -+ memcpy(desc, fru->id_string, __min(fru->id_code & 0x01f, sizeof(desc))); - desc[fru->id_code & 0x01f] = 0; - printf("FRU Device Description : %s (ID %d)\n", desc, fru->device_id); - -Index: ipmitool-1.8.18/lib/ipmi_sdr.c -=================================================================== ---- ipmitool-1.8.18.orig/lib/ipmi_sdr.c -+++ ipmitool-1.8.18/lib/ipmi_sdr.c -@@ -2084,7 +2084,7 @@ ipmi_sdr_print_sensor_eventonly(struct i - return -1; - - memset(desc, 0, sizeof (desc)); -- snprintf(desc, (sensor->id_code & 0x1f) + 1, "%s", sensor->id_string); -+ snprintf(desc, sizeof(desc), "%.*s", (sensor->id_code & 0x1f) + 1, sensor->id_string); - - if (verbose) { - printf("Sensor ID : %s (0x%x)\n", -@@ -2135,7 +2135,7 @@ ipmi_sdr_print_sensor_mc_locator(struct - return -1; - - memset(desc, 0, sizeof (desc)); -- snprintf(desc, (mc->id_code & 0x1f) + 1, "%s", mc->id_string); -+ snprintf(desc, sizeof(desc), "%.*s", (mc->id_code & 0x1f) + 1, mc->id_string); - - if (verbose == 0) { - if (csv_output) -@@ -2228,7 +2228,7 @@ ipmi_sdr_print_sensor_generic_locator(st - char desc[17]; - - memset(desc, 0, sizeof (desc)); -- snprintf(desc, (dev->id_code & 0x1f) + 1, "%s", dev->id_string); -+ snprintf(desc, sizeof(desc), "%.*s", (dev->id_code & 0x1f) + 1, dev->id_string); - - if (!verbose) { - if (csv_output) -@@ -2285,7 +2285,7 @@ ipmi_sdr_print_sensor_fru_locator(struct - char desc[17]; - - memset(desc, 0, sizeof (desc)); -- snprintf(desc, (fru->id_code & 0x1f) + 1, "%s", fru->id_string); -+ snprintf(desc, sizeof(desc), "%.*s", (fru->id_code & 0x1f) + 1, fru->id_string); - - if (!verbose) { - if (csv_output) -@@ -2489,35 +2489,43 @@ ipmi_sdr_print_name_from_rawentry(struct - - int rc =0; - char desc[17]; -+ const char *id_string; -+ uint8_t id_code; - memset(desc, ' ', sizeof (desc)); - - switch ( type) { - case SDR_RECORD_TYPE_FULL_SENSOR: - record.full = (struct sdr_record_full_sensor *) raw; -- snprintf(desc, (record.full->id_code & 0x1f) +1, "%s", -- (const char *)record.full->id_string); -+ id_code = record.full->id_code; -+ id_string = record.full->id_string; - break; -+ - case SDR_RECORD_TYPE_COMPACT_SENSOR: - record.compact = (struct sdr_record_compact_sensor *) raw ; -- snprintf(desc, (record.compact->id_code & 0x1f) +1, "%s", -- (const char *)record.compact->id_string); -+ id_code = record.compact->id_code; -+ id_string = record.compact->id_string; - break; -+ - case SDR_RECORD_TYPE_EVENTONLY_SENSOR: - record.eventonly = (struct sdr_record_eventonly_sensor *) raw ; -- snprintf(desc, (record.eventonly->id_code & 0x1f) +1, "%s", -- (const char *)record.eventonly->id_string); -- break; -+ id_code = record.eventonly->id_code; -+ id_string = record.eventonly->id_string; -+ break; -+ - case SDR_RECORD_TYPE_MC_DEVICE_LOCATOR: - record.mcloc = (struct sdr_record_mc_locator *) raw ; -- snprintf(desc, (record.mcloc->id_code & 0x1f) +1, "%s", -- (const char *)record.mcloc->id_string); -+ id_code = record.mcloc->id_code; -+ id_string = record.mcloc->id_string; - break; -+ - default: - rc = -1; -- break; -- } -+ } -+ if (!rc) { -+ snprintf(desc, sizeof(desc), "%.*s", (id_code & 0x1f) + 1, id_string); -+ } - -- lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); -+ lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); - return rc; - } - diff --git a/debian/patches/series b/debian/patches/series index ef6bbbe..5200085 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,20 +1,4 @@ -#0505-fix_CVE-2020-5208.patch -#0120-openssl1.1.patch 0620-manpage_typo.patch 0700-build.patch 0100-fix_buf_overflow.patch -#0500-fix_CVE-2011-4339.patch -#0600-manpage_longlines.patch -#0110-getpass-prototype.patch -#0115-typo.patch -#0125-nvidia-iana.patch -#0615-manpage_typo.patch -#0130-Correct_lanplus_segment_violation.patch -#0005-gcc10.patch 0010-utf8.patch -#CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch -#CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch -#CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch -#CVE-2020-5208_4-channel-Fix-buffer-overflow.patch -#CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch -#CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch -- cgit v1.2.3