Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 741566 (CVE-2020-6097)

Summary: <net-ftp/atftp-0.7.2-r2: Denial of service vulnerability (CVE-2020-6097)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: klausman, martin.dummer, proxy-maint
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029
Whiteboard: B3 [noglsa]
Package list:
net-ftp/atftp-0.7.2-r2 amd64 arm ppc ppc64 x86
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-11 02:34:49 UTC
Description:
"An exploitable denial of service vulnerability exists in the atftpd daemon functionality of atftp 0.7.git20120829-3.1+b1. A specially crafted sequence of RRQ-Multicast requests trigger an assert() call resulting in denial-of-service. An attacker can send a sequence of malicious packets to trigger this vulnerability."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-16 08:47:36 UTC
A patch is available here. Not assessed it. https://sourceforge.net/p/atftp/code/merge-requests/3/.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-10 16:41:06 UTC
ping
Comment 3 Larry the Git Cow gentoo-dev 2021-01-12 11:56:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fb0a9a8269b01b991bb14c1382058d84de966ea2

commit fb0a9a8269b01b991bb14c1382058d84de966ea2
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2021-01-12 11:54:22 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2021-01-12 11:55:58 +0000

    net-ftp/atftp: Add -r addressing CVE 2020-6097
    
    Patch sourced from:
    https://sourceforge.net/u/peterkaestle/atftp/ci/96409ef3b9ca061f9527cfaafa778105cf15d994/
    
    Bug: https://bugs.gentoo.org/741566
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 net-ftp/atftp/atftp-0.7.2-r2.ebuild                | 68 ++++++++++++++++
 .../atftp/files/atftp-0.7.2-cve-2020-6097.patch    | 92 ++++++++++++++++++++++
 2 files changed, 160 insertions(+)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-12 12:06:12 UTC
Thank you! Let us know when ready to stable.
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2021-01-12 13:22:26 UTC
Let's have -r2 soak for ten days (until 2021-01-22), then I'll make this a stablereq. Prospective arches are amd64, arm, ppc, ppc64, x86 (i.e. the current stable set for -r1).
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-18 01:33:57 UTC
(In reply to Tobias Klausmann from comment #5)
> Let's have -r2 soak for ten days (until 2021-01-22), then I'll make this a
> stablereq. Prospective arches are amd64, arm, ppc, ppc64, x86 (i.e. the
> current stable set for -r1).

Sure, thank you!
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-22 07:14:17 UTC
Ready?
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2021-01-22 11:51:03 UTC
Arches, please test and mark stable:

=net-ftp/atftp-0.7.2-r2

As this is a security bug, please let the security team handle things once the last arch is done (i.e. don't close the bug).
Comment 9 Agostino Sarubbo gentoo-dev 2021-01-24 11:58:56 UTC
amd64 stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-24 13:33:41 UTC
ppc64 done
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-24 13:35:19 UTC
ppc done
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-24 21:51:41 UTC
arm done
Comment 13 Agostino Sarubbo gentoo-dev 2021-01-25 12:18:48 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 14 Larry the Git Cow gentoo-dev 2021-01-26 18:18:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=20c34541d0263f7ac9637a4c75cbe9a724628f7d

commit 20c34541d0263f7ac9637a4c75cbe9a724628f7d
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2021-01-26 18:18:08 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2021-01-26 18:18:08 +0000

    net-ftp/atftp: Remove old version (0.7.2-r1)
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=741566
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 net-ftp/atftp/atftp-0.7.2-r1.ebuild | 67 -------------------------------------
 1 file changed, 67 deletions(-)
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-26 18:30:13 UTC
Thank you!