Debian Bug report logs -
#972521
fastd: CVE-2020-27638: DoS'able memory leak on invalid packets
Reported by: Sven Eckelmann <sven@narfation.org>
Date: Mon, 19 Oct 2020 20:30:01 UTC
Severity: important
Tags: security
Found in version fastd/17-4
Fixed in version fastd/21-1
Done: Sven Eckelmann <sven@narfation.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian CommunityWLAN Team <team+communitywlan@tracker.debian.org>
:
Bug#972521
; Package fastd
.
(Mon, 19 Oct 2020 20:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Sven Eckelmann <sven@narfation.org>
:
New Bug report received and forwarded. Copy sent to Debian CommunityWLAN Team <team+communitywlan@tracker.debian.org>
.
(Mon, 19 Oct 2020 20:30:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: fastd
Severity: important
Version: 17-4
fastd doesn't free receive buffers for invalid packets. This can lead to
memory exhaustion or (with v20) to an assert. From the release text:
The new buffer management of fastd v20 revealed that received packets with an
invalid type code were handled incorrectly, leaking the packet buffer. This lead
to an assertion failure as soon as the buffer pool was empty, crashing fastd.
Older versions of fastd are affected as well, but display a different behaviour:
instead of crashing, the buffer leaks will manifest as a regular memory leak.
This can still be used for Denial of Service attacks, so a patch for older
versions will be provided, for the case that users can't or do not want to
update to a newer version yet.
The fix can also be found inside the attached mail.
Kind regards,
Sven
[forwarded message (message/rfc822, inline)]
[Message part 3 (text/plain, inline)]
Faster than expected, there is a new release of fastd, fixing a critial
Denial of Service (fastd crash) vulnerability. All users of fastd v20 must
update.
In fastd v19 and older, the same vulnerablity exists, but exploiting it
will cause a memory leak rather than an instant crash. Users that can't or
do not want to update to v21 yet should apply the patch that is attached to
this mail.
The release notes can be found at:
https://fastd.readthedocs.io/en/stable/releases/v21.html
The new release can be obtained via Git from
https://github.com/NeoRaider/fastd
or as a tarball:
https://github.com/NeoRaider/fastd/releases/download/v21/fastd-21.tar.xz
SHA256: 942f33bcd794bcb8e19da4c30c875bdfd4d0f1c24ec4dcdf51237791bbfb0d4c
-- NeoRaider
[0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, attachment)]
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Sven Eckelmann <sven@narfation.org>
:
You have taken responsibility.
(Mon, 19 Oct 2020 21:03:16 GMT) (full text, mbox, link).
Notification sent
to Sven Eckelmann <sven@narfation.org>
:
Bug acknowledged by developer.
(Mon, 19 Oct 2020 21:03:16 GMT) (full text, mbox, link).
Message #10 received at 972521-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: fastd
Source-Version: 21-1
Done: Sven Eckelmann <sven@narfation.org>
[forwarded message (message/rfc822, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 19 Oct 2020 21:47:58 +0200
Source: fastd
Architecture: source
Version: 21-1
Distribution: unstable
Urgency: high
Maintainer: Debian CommunityWLAN Team <team+communitywlan@tracker.debian.org>
Changed-By: Sven Eckelmann <sven@narfation.org>
Changes:
fastd (21-1) unstable; urgency=high
.
* New Upstream Version
- Fix crash (assert) when receiving too many invalid packets
Checksums-Sha1:
86e3526afcdd5e029a4c83245f4a784fb824479f 2118 fastd_21-1.dsc
685f538e46b32a1a63c86fbfbc7934d97a93a9a5 137660 fastd_21.orig.tar.xz
f9c38e8e1e410e9a54f092b53f946b8bc1f74a03 6784 fastd_21-1.debian.tar.xz
47e521cb5e55360739824f76c49fb1a4e95060dd 7569 fastd_21-1_source.buildinfo
Checksums-Sha256:
503249c0366679398819d5b3e7d38bf2a59d9cd7ca20d1ec0e68aeb002f45653 2118 fastd_21-1.dsc
942f33bcd794bcb8e19da4c30c875bdfd4d0f1c24ec4dcdf51237791bbfb0d4c 137660 fastd_21.orig.tar.xz
803f8e8e37a53b55001cdd76c0edfc2d1498da045e800d91ca7e804d902276c8 6784 fastd_21-1.debian.tar.xz
30b46e89ce0da3b26dd88b813f611165d3f110b870041b04bb2abcfc417298b6 7569 fastd_21-1_source.buildinfo
Files:
ba245bab5393210f1e75b3c1f98a20e4 2118 net optional fastd_21-1.dsc
6342b9eae209327ce1d0ae99bc493425 137660 net optional fastd_21.orig.tar.xz
ea9046ee7838ee6e38cb2a65f830ab73 6784 net optional fastd_21-1.debian.tar.xz
0f9b4da78c305ceb4256a6397d56a035 7569 net optional fastd_21-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEF10rh4Elc9zjMuACXYcKB8Eme0YFAl+N7ggACgkQXYcKB8Em
e0bmjw//ZizLoG5D3L/kM6kD1OePBywBapBUyu2H86UpSdNExKC7i/Sob2kH4+DI
MldM04bUQ5tViieOGjtdIHicVe3HJKiM9lQZGl7MDWMteG02SQpYpQVIhKEzf+DS
/Eo+naZY0ttvJCEoeAN3CCkS98VoaK9RiynjlMUxmqC/kKmps/N5OFqevzh6g/ot
fFa9wUR2wQ9j2coJI+IplrkJTi3S6GmE9VWbj9ouaf2aLMAWFsl4h4BDHgG8IBFZ
plRT0ANHurBp6bNpJaPcRnndd0pqDjMRoA5/DkIMZTjEzWwKVVGo37wPvF5ac87t
vqfEcd4WbQ6EO26hd+4FxrbFXGqQ6b7fCXjg2BpnoFVGzy4w84e3xmT0s1KYxNmZ
ajKIdrzsl2tbxspdbB6MQonsYXMipw0jZvloI54ftvOe8E8E6sY4CvO61fCgfwFX
ZZ0kn8+1a0jIs/VGh/UgAOT/u+7xGJ9MJZ3mcabn3jNlqFy6E4546OnbX5BjPOmk
e1gCbxNehgroSom0vtOKhMqzjUiAJ4r4+is3w4gGPdyUO35eUVsvmfQS+gf4GBuc
ldPTMNBSHBtnwFtAT2p6oP7kZqe5fmC7XMOZFRXHYSe6HyBjLqW3h4ex5Kbi1cA5
UoS42nbZDlxwDw22WgMntdd4g2TN9KscmJo3AHyCVsRdG0wUdL0=
=GXef
-----END PGP SIGNATURE-----
[signature.asc (application/pgp-signature, inline)]
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 22 Oct 2020 07:09:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian CommunityWLAN Team <team+communitywlan@tracker.debian.org>
:
Bug#972521
; Package fastd
.
(Thu, 22 Oct 2020 12:42:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian CommunityWLAN Team <team+communitywlan@tracker.debian.org>
.
(Thu, 22 Oct 2020 12:42:02 GMT) (full text, mbox, link).
Message #17 received at 972521@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 fastd: CVE-2020-27638: DoS'able memory leak on invalid packets
On Mon, Oct 19, 2020 at 10:21:16PM +0200, Sven Eckelmann wrote:
> Package: fastd
> Severity: important
> Version: 17-4
>
> fastd doesn't free receive buffers for invalid packets. This can lead to
> memory exhaustion or (with v20) to an assert. From the release text:
>
> The new buffer management of fastd v20 revealed that received packets with an
> invalid type code were handled incorrectly, leaking the packet buffer. This lead
> to an assertion failure as soon as the buffer pool was empty, crashing fastd.
>
> Older versions of fastd are affected as well, but display a different behaviour:
> instead of crashing, the buffer leaks will manifest as a regular memory leak.
> This can still be used for Denial of Service attacks, so a patch for older
> versions will be provided, for the case that users can't or do not want to
> update to a newer version yet.
>
> The fix can also be found inside the attached mail.
CVE-2020-27638 was assigned for this issue.
Regards,
Salvatore
Changed Bug title to 'fastd: CVE-2020-27638: DoS'able memory leak on invalid packets' from 'fastd: DoS'able memory leak on invalid packets'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 972521-submit@bugs.debian.org
.
(Thu, 22 Oct 2020 12:42:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Nov 16 09:51:31 2020;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.