From 9b4a0960bc824081746318c5e6a2eb2d2f80435a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Sun, 22 Aug 2021 20:48:25 +0200 Subject: Add NMU 1.8.18-10.1 --- ...Fix-buffer-overflow-in-ipmi_spd_print_fru.patch | 48 ++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch (limited to 'debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch') diff --git a/debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch b/debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch new file mode 100644 index 0000000..efa2381 --- /dev/null +++ b/debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch @@ -0,0 +1,48 @@ +From 840fb1cbb4fb365cb9797300e3374d4faefcdb10 Mon Sep 17 00:00:00 2001 +From: Chrostoper Ertl +Date: Thu, 28 Nov 2019 16:44:18 +0000 +Subject: [PATCH 2/6] fru: Fix buffer overflow in ipmi_spd_print_fru + +Partial fix for CVE-2020-5208, see +https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp + +The `ipmi_spd_print_fru` function has a similar issue as the one fixed +by the previous commit in `read_fru_area_section`. An initial request is +made to get the `fru.size`, which is used as the size for the allocation +of `spd_data`. Inside a loop, further requests are performed to get the +copy sizes which are not checked before being used as the size for a +copy into the buffer. +--- + lib/dimm_spd.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c +index 163a2c2..d559cb4 100644 +--- a/lib/dimm_spd.c ++++ b/lib/dimm_spd.c +@@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id) + struct ipmi_rq req; + struct fru_info fru; + uint8_t *spd_data, msg_data[4]; +- int len, offset; ++ uint32_t len, offset; + + msg_data[0] = id; + +@@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id) + } + + len = rsp->data[0]; ++ if(rsp->data_len < 1 ++ || len > rsp->data_len - 1 ++ || len > fru.size - offset) ++ { ++ printf(" Not enough buffer size"); ++ return -1; ++ } + memcpy(&spd_data[offset], rsp->data + 1, len); + offset += len; + } while (offset < fru.size); +-- +2.20.1 + -- cgit v1.2.3