Debian Bug report logs -
#927553
atftp: CVE-2019-11365 CVE-2019-11366
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 20 Apr 2019 18:46:37 UTC
Severity: grave
Tags: patch, security, upstream
Found in version atftp/0.7.git20120829-3
Fixed in versions atftp/0.7.git20120829-3.1, atftp/0.7.git20120829-3.1~deb9u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Ludovic Drolez <ldrolez@debian.org>:
Bug#927553; Package src:atftp.
(Sat, 20 Apr 2019 18:46:38 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Ludovic Drolez <ldrolez@debian.org>.
(Sat, 20 Apr 2019 18:46:38 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: atftp
Version: 0.7.git20120829-3
Severity: grave
Tags: patch security upstream
Hi,
The following vulnerabilities were published for atftp.
CVE-2019-11365[0]:
| An issue was discovered in atftpd in atftp 0.7.1. A remote attacker
| may send a crafted packet triggering a stack-based buffer overflow due
| to an insecurely implemented strncpy call. The vulnerability is
| triggered by sending an error packet of 3 bytes or fewer. There are
| multiple instances of this vulnerable strncpy pattern within the code
| base, specifically within tftpd_file.c, tftp_file.c, tftpd_mtftp.c,
| and tftp_mtftp.c.
CVE-2019-11366[1]:
| An issue was discovered in atftpd in atftp 0.7.1. It does not lock the
| thread_list_mutex mutex before assigning the current thread data
| structure. As a result, the daemon is vulnerable to a denial of
| service attack due to a NULL pointer dereference. If thread_data is
| NULL when assigned to current, and modified by another thread before a
| certain tftpd_list.c check, there is a crash when dereferencing
| current->next.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-11365
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11365
https://sourceforge.net/p/atftp/code/ci/abed7d245d8e8bdfeab24f9f7f55a52c3140f96b/
[1] https://security-tracker.debian.org/tracker/CVE-2019-11366
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11366
https://sourceforge.net/p/atftp/code/ci/382f76a90b44f81fec00e2f609a94def4a5d3580/
[2] https://pulsesecurity.co.nz/advisories/atftpd-multiple-vulnerabilities
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Ludovic Drolez <ldrolez@debian.org>:
Bug#927553; Package src:atftp.
(Mon, 29 Apr 2019 17:45:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Ludovic Drolez <ldrolez@debian.org>.
(Mon, 29 Apr 2019 17:45:07 GMT) (full text, mbox, link).
Message #10 received at 927553@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 + patch
Hi
Attaches my proposed NMU based on the upstream commits, planning to
use that as base for the stretch-security update as well after some
further testing.
Regards,
Salvatore
[atftp_0.7.git20120829-3.1.debdiff (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Ludovic Drolez <ldrolez@debian.org>:
Bug#927553; Package src:atftp.
(Tue, 30 Apr 2019 20:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Ludovic Drolez <ldrolez@debian.org>.
(Tue, 30 Apr 2019 20:06:02 GMT) (full text, mbox, link).
Message #15 received at 927553@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 927553 + pending
Dear maintainer,
I've prepared an NMU for atftp (versioned as 0.7.git20120829-3.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[atftp-0.7.git20120829-3.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 927553-submit@bugs.debian.org.
(Tue, 30 Apr 2019 20:06:02 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Thu, 02 May 2019 20:36:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 02 May 2019 20:36:03 GMT) (full text, mbox, link).
Message #22 received at 927553-close@bugs.debian.org (full text, mbox, reply):
Source: atftp
Source-Version: 0.7.git20120829-3.1
We believe that the bug you reported is fixed in the latest version of
atftp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 927553@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated atftp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 29 Apr 2019 19:37:52 +0200
Source: atftp
Architecture: source
Version: 0.7.git20120829-3.1
Distribution: unstable
Urgency: high
Maintainer: Ludovic Drolez <ldrolez@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 927553
Changes:
atftp (0.7.git20120829-3.1) unstable; urgency=high
.
* Non-maintainer upload.
* Fix concurrency issue denial of service (CVE-2019-11366) (Closes: #927553)
* Fix error handler stack overflow (CVE-2019-11365) (Closes: #927553)
Checksums-Sha1:
21dcbee9f090bf3b96cb7b8a2b92eaa92ba3fdb4 1955 atftp_0.7.git20120829-3.1.dsc
6e41cb56c6d0124f98d1e662057a1ffc93d0cc5d 37239 atftp_0.7.git20120829-3.1.diff.gz
Checksums-Sha256:
d3e7559cd708eeedd1b538f26ca63909b123481e7caada1f739137735ea61418 1955 atftp_0.7.git20120829-3.1.dsc
a30af9010af918024efb4d312f64bd02c4ce7eeef36230f7faf6fc7f89a1a03b 37239 atftp_0.7.git20120829-3.1.diff.gz
Files:
0492ca7e3de16fa24c222771763f7b86 1955 net extra atftp_0.7.git20120829-3.1.dsc
d0e5ecf7643643fdcaea26761a209cf6 37239 net extra atftp_0.7.git20120829-3.1.diff.gz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlzIqBpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ESoIP/0IDpCy4J1gbkTuMywkKSodAiRZ3kAm4
E/CrwOOyPOCQSD/OTlbmvSaVJIfPuIyPnzUIPR8t8+qrbHl/QoAzR8hbT+QHYRer
x6NRdVpTWr0G/sBIaTKpWBSTVNpFuOm/KKrMtGwnGZi2DWYpc/pEyn3nRfYDYlit
u7YNkEPfecrcvE+22dsJdvADJIOT8yNJ+nM+WPe4ZbB+TIDyPZ41Z0AGUG039Y/2
3BRxpndZ5FJyB49zJ2O8pkzFdXq9pmmwaJJfb0pB5Z1OQlKrj6ODHz2WgC3JyAy4
ZYAzrC87h9DLOgaQuNrMsPm+eYbWitSTu4+IMm8g7tyu0frlIgQAmYRpTvIjz5cg
RaDcQGwduDpjMG5BUV0KWTKJgR+VtNfbIH2ThPB3EjNrhJ3HMlOd4PNb3uGEcNWW
EyQ8VIAmysSJQzKJz8v7ObngPVD4GbbYjIjHOD2DL+N5PQoudxW6/YWl72oQNxZ/
EbjMShK2Mmn6Uz3XET1NLdFydefMmceiomutH0Fnxdl7uQnwahCg7p21wzO+PQAl
3j8wYIqMa8G/gAf0AEmp0/XvWOdWWaIAQK9ld7uFExzQ0q/OySgQNlkWo3nhf3ec
BmAKzJ+ezJFlBTNfWXyqq8ENXVRnzri/VYyRI9vNoy0iuNSipyrUkmGNPkxnfLu8
lkLPDdEmKSyU
=KoSm
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Mon, 13 May 2019 21:18:22 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 13 May 2019 21:18:23 GMT) (full text, mbox, link).
Message #27 received at 927553-close@bugs.debian.org (full text, mbox, reply):
Source: atftp
Source-Version: 0.7.git20120829-3.1~deb9u1
We believe that the bug you reported is fixed in the latest version of
atftp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 927553@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated atftp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 03 May 2019 18:51:14 +0200
Source: atftp
Architecture: source
Version: 0.7.git20120829-3.1~deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Ludovic Drolez <ldrolez@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 927553
Changes:
atftp (0.7.git20120829-3.1~deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Rebuild for stretch-security.
.
atftp (0.7.git20120829-3.1) unstable; urgency=high
.
* Non-maintainer upload.
* Fix concurrency issue denial of service (CVE-2019-11366) (Closes: #927553)
* Fix error handler stack overflow (CVE-2019-11365) (Closes: #927553)
Checksums-Sha1:
150b5c9f4d9295de270115370134e2bf7dacfb6b 1983 atftp_0.7.git20120829-3.1~deb9u1.dsc
6db7891546a5e19add6390c33ce82d2b1596c5ac 90982 atftp_0.7.git20120829.orig.tar.gz
d7f9bc5808e42a25f6601d42fbf88a3641d5d576 37883 atftp_0.7.git20120829-3.1~deb9u1.diff.gz
Checksums-Sha256:
7537a800695192123e1250c053fa1d5f14cf4dbd546fc147a90b6c01e71823fa 1983 atftp_0.7.git20120829-3.1~deb9u1.dsc
d93a302ead76a0629feb061768df4393f9da02e3ffbf25eb10d281082ecf02d0 90982 atftp_0.7.git20120829.orig.tar.gz
0099793dc3df449526ca0a9d0e53d980142e373ee109a5909d0ddb897a3f848b 37883 atftp_0.7.git20120829-3.1~deb9u1.diff.gz
Files:
ab7cb822c6ae075c93674d597635f814 1983 net extra atftp_0.7.git20120829-3.1~deb9u1.dsc
f0cf6eb9e38cd7c789c0f953f20e1b69 90982 net extra atftp_0.7.git20120829.orig.tar.gz
13b263980e74dfe008ed055c1f65b164 37883 net extra atftp_0.7.git20120829-3.1~deb9u1.diff.gz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlzMc0VfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E7NkP/0FQog6oXdz6tf4g4gJM0OyOXJPrcKve
zZadQ5PV/b+wLHF4MZl2wQ5Q9pYwd7O1U5UvjDy2Aend+X2vLMe9FWJHVnY2B37V
KXDhS77iJPSJFXv1+KjRa65ptvJA1qjraLnCIpAJfED2aSZBwuAOuVzWdUFtI3LA
ydwSzhzyq16N1f+TStH2QjzKY2dMv8xaePhFEp10CbIrFgxuAwJwMMgWjgaVZU24
rJmRodA21jwMxTYvVBJ3evkgf6Q6P1ler5GyBalzAnGAjTNXGNI0LWUxqrpMTGAF
Ta9IPYll4PAcn+4FCUr6zilVuOCY+cODkEgDHsbdo/jka3VD1XNiWWhm5DrR7Pyx
lStrMdkSaMwGtbU1cEkEm8JwicxR9rS6AOArSC2VDZ/J82s2sxc6lARx5A2ecNF8
Mugatu/ribPIyIjmsrV1RT4kjjlbJR6A/thmzPxPP38rOWXKp3h6RrP1p5AprBun
NpOPvZrRclluBQiDA6dtttZiiZ0/S36Jh4m28wzg3Fs7Y0RFYicsEtOnZ4Z/hj2D
Rxw8SzXxepM/L8cmOUW4UVWfbujOp+EoTOJfLYdUdZjiRjuDuEJk/7CVjrodeUsM
b5Am/vK+chYotK6Jnjl2LdQ/F+dDmAabs4wuUGI/2x/1xyrJ8PrhuUrQwTcAqZaM
RxYLodOdFRkf
=yEIl
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:58:45 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon