From the upstream fix at $URL: Simplify the option parsing to make use of the fact that all the options we support are integer options. This fixes a buffer overflow in the utimeout option.
tftp-hpa-5.1 in the tree now with the fix (upstream release w/ the patch included). @security: go for stabilizing.
(In reply to comment #1) > tftp-hpa-5.1 in the tree now with the fix (upstream release w/ the patch > included). > @security: go for stabilizing. Great, thanks. Arches, please test and mark stable: =net-ftp/tftp-hpa-5.1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
by default the service in init.d does not start, any advice or simple example how to configure?
@ago: you MUST uncomment and create one of the INTFTPD_PATH directories in the conf.d file.
thanks robin IT works, amd64 ok
It looks also good here on x86.
amd64 done. Thanks Agostino
x86 stable. Thanks Andreas
Stable for HPPA.
ppc/ppc64 stable
arm stable
alpha/ia64/s390/sh/sparc stable
Thanks, folks. GLSA request filed.
tftp failed # echo -e "binary\nrexmt 1\ntimeout 60\ntrace\nget wdsnbp.com\n" | tftp 192.168.0.92 tftp> binary tftp> rexmt 1 tftp> timeout 60 tftp> trace Packet tracing on. tftp> get wdsnbp.com *** buffer overflow detected ***: tftp terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7f8ca500cd47] /lib64/libc.so.6(+0xf7bc0)[0x7f8ca500abc0] tftp[0x4020d1] tftp[0x402b1d] tftp[0x401c7a] /lib64/libc.so.6(__libc_start_main+0xed)[0x7f8ca4f342fd] tftp[0x401fd9] ======= Memory map: ======== 00400000-00407000 r-xp 00000000 08:03 39012 /usr/bin/tftp 00606000-00607000 r--p 00006000 08:03 39012 /usr/bin/tftp 00607000-00608000 rw-p 00007000 08:03 39012 /usr/bin/tftp 00608000-0066a000 rw-p 00000000 00:00 0 [heap] 7f8ca4043000-7f8ca4058000 r-xp 00000000 08:03 2117863 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1 7f8ca4058000-7f8ca4257000 ---p 00015000 08:03 2117863 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1 7f8ca4257000-7f8ca4258000 r--p 00014000 08:03 2117863 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1 7f8ca4258000-7f8ca4259000 rw-p 00015000 08:03 2117863 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1 7f8ca4259000-7f8ca48ae000 r--p 00000000 08:03 107790 /usr/lib64/locale/locale-archive 7f8ca48ae000-7f8ca48ba000 r-xp 00000000 08:03 665772 /lib64/libnss_files-2.13.so 7f8ca48ba000-7f8ca4ab9000 ---p 0000c000 08:03 665772 /lib64/libnss_files-2.13.so 7f8ca4ab9000-7f8ca4aba000 r--p 0000b000 08:03 665772 /lib64/libnss_files-2.13.so 7f8ca4aba000-7f8ca4abb000 rw-p 0000c000 08:03 665772 /lib64/libnss_files-2.13.so 7f8ca4abb000-7f8ca4abd000 r-xp 00000000 08:03 667043 /lib64/libdl-2.13.so 7f8ca4abd000-7f8ca4cbd000 ---p 00002000 08:03 667043 /lib64/libdl-2.13.so 7f8ca4cbd000-7f8ca4cbe000 r--p 00002000 08:03 667043 /lib64/libdl-2.13.so 7f8ca4cbe000-7f8ca4cbf000 rw-p 00003000 08:03 667043 /lib64/libdl-2.13.so 7f8ca4cbf000-7f8ca4d0e000 r-xp 00000000 08:03 665550 /lib64/libncurses.so.5.9 7f8ca4d0e000-7f8ca4f0d000 ---p 0004f000 08:03 665550 /lib64/libncurses.so.5.9 7f8ca4f0d000-7f8ca4f11000 r--p 0004e000 08:03 665550 /lib64/libncurses.so.5.9 7f8ca4f11000-7f8ca4f12000 rw-p 00052000 08:03 665550 /lib64/libncurses.so.5.9 7f8ca4f12000-7f8ca4f13000 rw-p 00000000 00:00 0 7f8ca4f13000-7f8ca50a8000 r-xp 00000000 08:03 667052 /lib64/libc-2.13.so 7f8ca50a8000-7f8ca52a7000 ---p 00195000 08:03 667052 /lib64/libc-2.13.so 7f8ca52a7000-7f8ca52ab000 r--p 00194000 08:03 667052 /lib64/libc-2.13.so 7f8ca52ab000-7f8ca52ac000 rw-p 00198000 08:03 667052 /lib64/libc-2.13.so 7f8ca52ac000-7f8ca52b2000 rw-p 00000000 00:00 0 7f8ca52b2000-7f8ca52ef000 r-xp 00000000 08:03 665443 /lib64/libreadline.so.6.2 7f8ca52ef000-7f8ca54ef000 ---p 0003d000 08:03 665443 /lib64/libreadline.so.6.2 7f8ca54ef000-7f8ca54f1000 r--p 0003d000 08:03 665443 /lib64/libreadline.so.6.2 7f8ca54f1000-7f8ca54f7000 rw-p 0003f000 08:03 665443 /lib64/libreadline.so.6.2 7f8ca54f7000-7f8ca54f9000 rw-p 00000000 00:00 0 7f8ca54f9000-7f8ca5519000 r-xp 00000000 08:03 667051 /lib64/ld-2.13.so 7f8ca56d9000-7f8ca56dd000 rw-p 00000000 00:00 0 7f8ca570f000-7f8ca5710000 rw-p 00000000 00:00 0 7f8ca5710000-7f8ca5717000 r--s 00000000 08:03 115386 /usr/lib64/gconv/gconv-modules.cache 7f8ca5717000-7f8ca5719000 rw-p 00000000 00:00 0 7f8ca5719000-7f8ca571a000 r--p 00020000 08:03 667051 /lib64/ld-2.13.so 7f8ca571a000-7f8ca571b000 rw-p 00021000 08:03 667051 /lib64/ld-2.13.so 7f8ca571b000-7f8ca571c000 rw-p 00000000 00:00 0 7fff9e3ee000-7fff9e410000 rw-p 00000000 00:00 0 [stack] 7fff9e4bc000-7fff9e4bd000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] 已放弃 gentoo shm # ls p portage pulse-shm-1883080623 pulse-shm-3653517906 pulse-shm-979569134 tftp> wdsnbp.com gentoo shm # echo -e "binary\nrexmt 1\ntimeout 60\ntrace\nput p\n" | tftp 192.168.0.92 tftp> binary tftp> rexmt 1 tftp> timeout 60 tftp> trace Packet tracing on. tftp> put p *** buffer overflow detected ***: tftp terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7fd4e930dd47] /lib64/libc.so.6(+0xf7bc0)[0x7fd4e930bbc0] tftp[0x4020d1] tftp[0x4025ae] tftp[0x401c7a] /lib64/libc.so.6(__libc_start_main+0xed)[0x7fd4e92352fd] tftp[0x401fd9] ======= Memory map: ======== 00400000-00407000 r-xp 00000000 08:03 39012 /usr/bin/tftp 00606000-00607000 r--p 00006000 08:03 39012 /usr/bin/tftp 00607000-00608000 rw-p 00007000 08:03 39012 /usr/bin/tftp 00608000-0066a000 rw-p 00000000 00:00 0 [heap] 7fd4e8344000-7fd4e8359000 r-xp 00000000 08:03 2117863 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1 7fd4e8359000-7fd4e8558000 ---p 00015000 08:03 2117863 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1 7fd4e8558000-7fd4e8559000 r--p 00014000 08:03 2117863 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1 7fd4e8559000-7fd4e855a000 rw-p 00015000 08:03 2117863 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1 7fd4e855a000-7fd4e8baf000 r--p 00000000 08:03 107790 /usr/lib64/locale/locale-archive 7fd4e8baf000-7fd4e8bbb000 r-xp 00000000 08:03 665772 /lib64/libnss_files-2.13.so 7fd4e8bbb000-7fd4e8dba000 ---p 0000c000 08:03 665772 /lib64/libnss_files-2.13.so 7fd4e8dba000-7fd4e8dbb000 r--p 0000b000 08:03 665772 /lib64/libnss_files-2.13.so 7fd4e8dbb000-7fd4e8dbc000 rw-p 0000c000 08:03 665772 /lib64/libnss_files-2.13.so 7fd4e8dbc000-7fd4e8dbe000 r-xp 00000000 08:03 667043 /lib64/libdl-2.13.so 7fd4e8dbe000-7fd4e8fbe000 ---p 00002000 08:03 667043 /lib64/libdl-2.13.so 7fd4e8fbe000-7fd4e8fbf000 r--p 00002000 08:03 667043 /lib64/libdl-2.13.so 7fd4e8fbf000-7fd4e8fc0000 rw-p 00003000 08:03 667043 /lib64/libdl-2.13.so 7fd4e8fc0000-7fd4e900f000 r-xp 00000000 08:03 665550 /lib64/libncurses.so.5.9 7fd4e900f000-7fd4e920e000 ---p 0004f000 08:03 665550 /lib64/libncurses.so.5.9 7fd4e920e000-7fd4e9212000 r--p 0004e000 08:03 665550 /lib64/libncurses.so.5.9 7fd4e9212000-7fd4e9213000 rw-p 00052000 08:03 665550 /lib64/libncurses.so.5.9 7fd4e9213000-7fd4e9214000 rw-p 00000000 00:00 0 7fd4e9214000-7fd4e93a9000 r-xp 00000000 08:03 667052 /lib64/libc-2.13.so 7fd4e93a9000-7fd4e95a8000 ---p 00195000 08:03 667052 /lib64/libc-2.13.so 7fd4e95a8000-7fd4e95ac000 r--p 00194000 08:03 667052 /lib64/libc-2.13.so 7fd4e95ac000-7fd4e95ad000 rw-p 00198000 08:03 667052 /lib64/libc-2.13.so 7fd4e95ad000-7fd4e95b3000 rw-p 00000000 00:00 0 7fd4e95b3000-7fd4e95f0000 r-xp 00000000 08:03 665443 /lib64/libreadline.so.6.2 7fd4e95f0000-7fd4e97f0000 ---p 0003d000 08:03 665443 /lib64/libreadline.so.6.2 7fd4e97f0000-7fd4e97f2000 r--p 0003d000 08:03 665443 /lib64/libreadline.so.6.2 7fd4e97f2000-7fd4e97f8000 rw-p 0003f000 08:03 665443 /lib64/libreadline.so.6.2 7fd4e97f8000-7fd4e97fa000 rw-p 00000000 00:00 0 7fd4e97fa000-7fd4e981a000 r-xp 00000000 08:03 667051 /lib64/ld-2.13.so 7fd4e99da000-7fd4e99de000 rw-p 00000000 00:00 0 7fd4e9a10000-7fd4e9a11000 rw-p 00000000 00:00 0 7fd4e9a11000-7fd4e9a18000 r--s 00000000 08:03 115386 /usr/lib64/gconv/gconv-modules.cache 7fd4e9a18000-7fd4e9a1a000 rw-p 00000000 00:00 0 7fd4e9a1a000-7fd4e9a1b000 r--p 00020000 08:03 667051 /lib64/ld-2.13.so 7fd4e9a1b000-7fd4e9a1c000 rw-p 00021000 08:03 667051 /lib64/ld-2.13.so 7fd4e9a1c000-7fd4e9a1d000 rw-p 00000000 00:00 0 7fff54eb4000-7fff54ed6000 rw-p 00000000 00:00 0 [stack] 7fff54f3b000-7fff54f3c000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
# emerge --info tftp-hpa Portage 2.1.10.9 (default/linux/amd64/10.0, gcc-4.6.1, glibc-2.13-r4, 3.0.0-ccs x86_64) ================================================================= System Settings ================================================================= System uname: Linux-3.0.0-ccs-x86_64-Intel-R-_Core-TM-2_Duo_CPU_T9300_@_2.50GHz-with-gentoo-2.0.3 Timestamp of tree: Sat, 30 Jul 2011 22:00:01 +0000 ccache version 3.1.5 [disabled] app-shells/bash: 4.2_p10 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.6.7-r2, 2.7.2-r2, 3.1.3-r1, 3.2-r2 dev-util/ccache: 3.1.5 dev-util/cmake: 2.8.5-r2 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.0.3 sys-apps/openrc: 0.8.3-r1 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.1-r1 sys-devel/binutils: 2.21.1 sys-devel/gcc: 4.4.5::<unknown repository>, 4.5.2, 4.6.1 sys-devel/gcc-config: 1.5-r1 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r1 sys-kernel/linux-headers: 2.6.38 (virtual/os-headers) sys-libs/glibc: 2.13-r4 Repositories: gentoo x11 sunrise gentoo-zh vmware local_overlay ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-mtune=core2 -march=core2 -O2 -msse4.1 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.2/ext-active/ /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.2/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.2/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-mtune=core2 -march=core2 -O2 -msse4.1 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs collision-protect distlocks ebuild-locks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="" GENTOO_MIRRORS="http://gentoo.netnitco.net/ " LANG="zh_CN.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="zh_CN en_US zh en" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/dev/shm/" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/x11 /var/lib/layman/sunrise /var/lib/layman/gentoo-zh /var/lib/layman/vmware /usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac accessibility acl acpi alsa amd64 ao apache2 avahi bash-completion berkdb branding bzip2 cairo caps cdr cjk cli clutter consolekit cracklib crypt cups cxx dbus dga djvu dri dts dvd dvdr eds emboss encode evo examples exif fam ffmpeg firefox flac fortran gdbm gdu gif gimp gnome gnome-keyring gphoto2 gpm gstreamer gtk guile i18n iconv icu ipv6 jadetex java jpeg jpeg2k latex lcms ldap libnotify mad midi mikmod mmap mmx mng modules mp3 mp4 mpeg mudflap multilib mysql nas nautilus ncurses networkmanager nfs nls nntp nptl nptlonly nsplugin nvidia ogg opengl openmp pam pango pch pcre pda pdf perl php png policykit ppds pppd pulseaudio python qt3support qt4 readline samba scsi sdl session smp snmp spell sqlite sse sse2 sse3 ssl ssse3 startup-notification suid svg sysfs tcpd threads tiff tk truetype unicode usb v4l2 vim-syntax vorbis x264 xattr xcb xml xmp xorg xulrunner xv xvid xvmc zlib" ALSA_CARDS="ens1370 hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="braindump flow karbon kexi kpresenter krita tables words" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="zh_CN en_US zh en" PHP_TARGETS="php5-3" QEMU_SOFTMMU_TARGETS="x86_64" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="vmwgfx vmwlegacy nouveau nvidia nv vmware vesa svga" XTABLES_ADDONS="cui gfw zhang ipset" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ================================================================= Package Settings ================================================================= net-ftp/tftp-hpa-5.1 was built with the following: USE="ipv6 (multilib) readline tcpd (-selinux)"
all Available versions: 0.49-r1 (~)5.0 (~)5.1 fɹom ɡentoo failed ː
(In reply to comment #16) > all Available versions: 0.49-r1 (~)5.0 (~)5.1 fɹom ɡentoo failed ː fkhp, it does not look like these errors are related to this vulnerability. Please open a new bug if this is a new issue. Thank you.
that is already Bug 375157
This issue was resolved and addressed in GLSA 201206-12 at http://security.gentoo.org/glsa/glsa-201206-12.xml by GLSA coordinator Stefan Behte (craig).
CVE-2011-2199 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2199): Buffer overflow in tftp-hpa before 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via the utimeout option.