[arch-commits] Commit in atftp/trunk (2 files)
Christian Hesse
eworm at archlinux.org
Tue Feb 2 10:57:55 UTC 2021
Date: Tuesday, February 2, 2021 @ 10:57:55
Author: eworm
Revision: 841018
upgpkg: atftp 0.7.4-1: new upstream release
Modified:
atftp/trunk/PKGBUILD
Deleted:
atftp/trunk/0001-Fix-for-DoS-issue-CVE-2020-6097.patch
--------------------------------------------+
0001-Fix-for-DoS-issue-CVE-2020-6097.patch | 99 ---------------------------
PKGBUILD | 14 ---
2 files changed, 3 insertions(+), 110 deletions(-)
Deleted: 0001-Fix-for-DoS-issue-CVE-2020-6097.patch
===================================================================
--- 0001-Fix-for-DoS-issue-CVE-2020-6097.patch 2021-02-02 10:49:11 UTC (rev 841017)
+++ 0001-Fix-for-DoS-issue-CVE-2020-6097.patch 2021-02-02 10:57:55 UTC (rev 841018)
@@ -1,99 +0,0 @@
-From 96409ef3b9ca061f9527cfaafa778105cf15d994 Mon Sep 17 00:00:00 2001
-From: Peter Kaestle <peter.kaestle at nokia.com>
-Date: Wed, 14 Oct 2020 14:02:41 +0200
-Subject: [PATCH 1/1] Fix for DoS issue CVE-2020-6097
-
-"sockaddr_print_addr" of tftpd can be triggered remotely to call
-assert(), which will crash the tftpd daemon. See:
-https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029
-
-"sockaddr_print_addr" originaly had two features:
-1) returning pointer to string of the incoming ip address
-2) checking whether ss_family of the connection is supported
-
-To fix the issue, a separate function "sockaddr_family_supported" is
-used to take care of 2) and "sockaddr_print_addr" returns an error
-message string for unsupported cases when using 1) insert of calling
-assert().
-
-Signed-off-by: Christian Hesse <mail at eworm.de>
----
- tftp_def.c | 11 ++++++++++-
- tftp_def.h | 1 +
- tftpd.c | 5 +++++
- tftpd_mtftp.c | 5 +++++
- 4 files changed, 21 insertions(+), 1 deletion(-)
-
-diff --git a/tftp_def.c b/tftp_def.c
-index d457c2a..428a930 100644
---- a/tftp_def.c
-+++ b/tftp_def.c
-@@ -180,6 +180,15 @@ int Gethostbyname(char *addr, struct hostent *host)
- return OK;
- }
-
-+int
-+sockaddr_family_supported(const struct sockaddr_storage *ss)
-+{
-+ if (ss->ss_family == AF_INET || ss->ss_family == AF_INET6)
-+ return 1;
-+ else
-+ return 0;
-+}
-+
- char *
- sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len)
- {
-@@ -189,7 +198,7 @@ sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len)
- else if (ss->ss_family == AF_INET6)
- addr = &((const struct sockaddr_in6 *)ss)->sin6_addr;
- else
-- assert(!"sockaddr_print: unsupported address family");
-+ return "sockaddr_print: unsupported address family";
- return (char *)inet_ntop(ss->ss_family, addr, buf, len);
- }
-
-diff --git a/tftp_def.h b/tftp_def.h
-index 0841746..458e310 100644
---- a/tftp_def.h
-+++ b/tftp_def.h
-@@ -54,6 +54,7 @@ int print_eng(double value, char *string, int size, char *format);
- inline char *Strncpy(char *to, const char *from, size_t size);
- int Gethostbyname(char *addr, struct hostent *host);
-
-+int sockaddr_family_supported(const struct sockaddr_storage *ss);
- char *sockaddr_print_addr(const struct sockaddr_storage *, char *, size_t);
- #define SOCKADDR_PRINT_ADDR_LEN INET6_ADDRSTRLEN
- uint16_t sockaddr_get_port(const struct sockaddr_storage *);
-diff --git a/tftpd.c b/tftpd.c
-index 0b6f6a5..a7561a5 100644
---- a/tftpd.c
-+++ b/tftpd.c
-@@ -644,6 +644,11 @@ void *tftpd_receive_request(void *arg)
- }
-
- #ifdef HAVE_WRAP
-+ if (!abort && !sockaddr_family_supported(&data->client_info->client))
-+ {
-+ logger(LOG_ERR, "Connection from unsupported network address family refused");
-+ abort = 1;
-+ }
- if (!abort)
- {
- /* Verify the client has access. We don't look for the name but
-diff --git a/tftpd_mtftp.c b/tftpd_mtftp.c
-index d420d10..0032905 100644
---- a/tftpd_mtftp.c
-+++ b/tftpd_mtftp.c
-@@ -393,6 +393,11 @@ void *tftpd_mtftp_server(void *arg)
- &data_size, data->data_buffer);
-
- #ifdef HAVE_WRAP
-+ if (!sockaddr_family_supported(&sa))
-+ {
-+ logger(LOG_ERR, "mtftp: Connection from unsupported network address family refused");
-+ continue;
-+ }
- /* Verify the client has access. We don't look for the name but
- rely only on the IP address for that. */
- sockaddr_print_addr(&sa, addr_str, sizeof(addr_str));
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2021-02-02 10:49:11 UTC (rev 841017)
+++ PKGBUILD 2021-02-02 10:57:55 UTC (rev 841018)
@@ -2,8 +2,8 @@
# Contributor: Johannes Löthberg <demizide at gmail.com>
pkgname=atftp
-pkgver=0.7.2
-pkgrel=3
+pkgver=0.7.4
+pkgrel=1
pkgdesc='Client/server implementation of the TFTP protocol that implements RFCs 1350, 2090, 2347, 2348, and 2349'
arch=('x86_64')
url='https://sourceforge.net/projects/atftp/'
@@ -11,24 +11,16 @@
depends=('pcre' 'readline')
backup=('etc/conf.d/atftpd')
source=("https://downloads.sf.net/sourceforge/atftp/atftp-$pkgver.tar.gz"
- '0001-Fix-for-DoS-issue-CVE-2020-6097.patch'
'atftpd.service'
'atftpd.conf'
'sysusers.conf'
'tmpfiles.conf')
-sha256sums=('1ad080674e9f974217b3a703e7356c6c8446dc5e7b2014d0d06e1bfaa11b5041'
- '1293479d9aa4bfabfe2a520862bf09ad11e70344426fb980cbf8ed745e8fef31'
+sha256sums=('d3c9cd0d971dfc786d7a5f4055c35d4e66aafc8102ac03473ef225bdf7edb26a'
'74a030f0fb48e97470d59d767039e44d28cbd6c4722621207684220210b8fa65'
'0b28125099ffdd6869c6fbcb3167e93ccd71a0c6e465b1b62c7dedf9f628dd4e'
'e56f601bcdf0d64bf98813cd4a1be323541e33921c7d4f350168f62b56e66d11'
'2096272445c736ba05529af628cc2d46d0236c8f1ecbd50bb1db6dc6c4a972c5')
-prepare() {
- cd atftp-$pkgver
-
- patch -Np1 < ../0001-Fix-for-DoS-issue-CVE-2020-6097.patch
-}
-
build() {
cd atftp-$pkgver
More information about the arch-commits
mailing list