Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 374001 (CVE-2011-2199) - <net-ftp/tftp-hpa-5.1: Remote buffer overflow (CVE-2011-2199)
Summary: <net-ftp/tftp-hpa-5.1: Remote buffer overflow (CVE-2011-2199)
Status: RESOLVED FIXED
Alias: CVE-2011-2199
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://git.kernel.org/?p=network/tftp...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-07-04 06:07 UTC by Tim Sammut (RETIRED)
Modified: 2012-07-23 19:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-07-04 06:07:17 UTC
From the upstream fix at $URL:

Simplify the option parsing to make use of the fact that all the
options we support are integer options.  This fixes a buffer overflow
in the utimeout option.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2011-07-04 06:23:45 UTC
tftp-hpa-5.1 in the tree now with the fix (upstream release w/ the patch included).
@security: go for stabilizing.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-07-04 06:29:14 UTC
(In reply to comment #1)
> tftp-hpa-5.1 in the tree now with the fix (upstream release w/ the patch
> included).
> @security: go for stabilizing.

Great, thanks.

Arches, please test and mark stable:
=net-ftp/tftp-hpa-5.1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2011-07-04 10:50:17 UTC
by default the service in init.d does not start, any advice or simple example how to configure?
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2011-07-04 17:28:15 UTC
@ago:
you MUST uncomment and create one of the INTFTPD_PATH directories in the conf.d file.
Comment 5 Agostino Sarubbo gentoo-dev 2011-07-04 18:58:38 UTC
thanks robin

IT works, amd64 ok
Comment 6 Andreas Schürch gentoo-dev 2011-07-06 07:14:26 UTC
It looks also good here on x86.
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2011-07-06 17:50:00 UTC
amd64 done. Thanks Agostino
Comment 8 Thomas Kahle (RETIRED) gentoo-dev 2011-07-08 12:38:54 UTC
x86 stable. Thanks Andreas
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2011-07-08 17:10:45 UTC
Stable for HPPA.
Comment 10 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-07-09 08:21:50 UTC
ppc/ppc64 stable
Comment 11 Markus Meier gentoo-dev 2011-07-10 10:33:50 UTC
arm stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2011-07-10 11:14:34 UTC
alpha/ia64/s390/sh/sparc stable
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-07-10 14:52:14 UTC
Thanks, folks. GLSA request filed.
Comment 14 fkhp 2011-07-31 04:31:49 UTC
tftp failed


# echo -e "binary\nrexmt 1\ntimeout 60\ntrace\nget wdsnbp.com\n" | tftp 192.168.0.92
tftp> binary
tftp> rexmt 1
tftp> timeout 60
tftp> trace
Packet tracing on.
tftp> get wdsnbp.com
*** buffer overflow detected ***: tftp terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f8ca500cd47]
/lib64/libc.so.6(+0xf7bc0)[0x7f8ca500abc0]
tftp[0x4020d1]
tftp[0x402b1d]
tftp[0x401c7a]
/lib64/libc.so.6(__libc_start_main+0xed)[0x7f8ca4f342fd]
tftp[0x401fd9]
======= Memory map: ========
00400000-00407000 r-xp 00000000 08:03 39012                              /usr/bin/tftp
00606000-00607000 r--p 00006000 08:03 39012                              /usr/bin/tftp
00607000-00608000 rw-p 00007000 08:03 39012                              /usr/bin/tftp
00608000-0066a000 rw-p 00000000 00:00 0                                  [heap]
7f8ca4043000-7f8ca4058000 r-xp 00000000 08:03 2117863                    /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1
7f8ca4058000-7f8ca4257000 ---p 00015000 08:03 2117863                    /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1
7f8ca4257000-7f8ca4258000 r--p 00014000 08:03 2117863                    /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1
7f8ca4258000-7f8ca4259000 rw-p 00015000 08:03 2117863                    /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1
7f8ca4259000-7f8ca48ae000 r--p 00000000 08:03 107790                     /usr/lib64/locale/locale-archive
7f8ca48ae000-7f8ca48ba000 r-xp 00000000 08:03 665772                     /lib64/libnss_files-2.13.so
7f8ca48ba000-7f8ca4ab9000 ---p 0000c000 08:03 665772                     /lib64/libnss_files-2.13.so
7f8ca4ab9000-7f8ca4aba000 r--p 0000b000 08:03 665772                     /lib64/libnss_files-2.13.so
7f8ca4aba000-7f8ca4abb000 rw-p 0000c000 08:03 665772                     /lib64/libnss_files-2.13.so
7f8ca4abb000-7f8ca4abd000 r-xp 00000000 08:03 667043                     /lib64/libdl-2.13.so
7f8ca4abd000-7f8ca4cbd000 ---p 00002000 08:03 667043                     /lib64/libdl-2.13.so
7f8ca4cbd000-7f8ca4cbe000 r--p 00002000 08:03 667043                     /lib64/libdl-2.13.so
7f8ca4cbe000-7f8ca4cbf000 rw-p 00003000 08:03 667043                     /lib64/libdl-2.13.so
7f8ca4cbf000-7f8ca4d0e000 r-xp 00000000 08:03 665550                     /lib64/libncurses.so.5.9
7f8ca4d0e000-7f8ca4f0d000 ---p 0004f000 08:03 665550                     /lib64/libncurses.so.5.9
7f8ca4f0d000-7f8ca4f11000 r--p 0004e000 08:03 665550                     /lib64/libncurses.so.5.9
7f8ca4f11000-7f8ca4f12000 rw-p 00052000 08:03 665550                     /lib64/libncurses.so.5.9
7f8ca4f12000-7f8ca4f13000 rw-p 00000000 00:00 0 
7f8ca4f13000-7f8ca50a8000 r-xp 00000000 08:03 667052                     /lib64/libc-2.13.so
7f8ca50a8000-7f8ca52a7000 ---p 00195000 08:03 667052                     /lib64/libc-2.13.so
7f8ca52a7000-7f8ca52ab000 r--p 00194000 08:03 667052                     /lib64/libc-2.13.so
7f8ca52ab000-7f8ca52ac000 rw-p 00198000 08:03 667052                     /lib64/libc-2.13.so
7f8ca52ac000-7f8ca52b2000 rw-p 00000000 00:00 0 
7f8ca52b2000-7f8ca52ef000 r-xp 00000000 08:03 665443                     /lib64/libreadline.so.6.2
7f8ca52ef000-7f8ca54ef000 ---p 0003d000 08:03 665443                     /lib64/libreadline.so.6.2
7f8ca54ef000-7f8ca54f1000 r--p 0003d000 08:03 665443                     /lib64/libreadline.so.6.2
7f8ca54f1000-7f8ca54f7000 rw-p 0003f000 08:03 665443                     /lib64/libreadline.so.6.2
7f8ca54f7000-7f8ca54f9000 rw-p 00000000 00:00 0 
7f8ca54f9000-7f8ca5519000 r-xp 00000000 08:03 667051                     /lib64/ld-2.13.so
7f8ca56d9000-7f8ca56dd000 rw-p 00000000 00:00 0 
7f8ca570f000-7f8ca5710000 rw-p 00000000 00:00 0 
7f8ca5710000-7f8ca5717000 r--s 00000000 08:03 115386                     /usr/lib64/gconv/gconv-modules.cache
7f8ca5717000-7f8ca5719000 rw-p 00000000 00:00 0 
7f8ca5719000-7f8ca571a000 r--p 00020000 08:03 667051                     /lib64/ld-2.13.so
7f8ca571a000-7f8ca571b000 rw-p 00021000 08:03 667051                     /lib64/ld-2.13.so
7f8ca571b000-7f8ca571c000 rw-p 00000000 00:00 0 
7fff9e3ee000-7fff9e410000 rw-p 00000000 00:00 0                          [stack]
7fff9e4bc000-7fff9e4bd000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
已放弃
gentoo shm # ls
p  portage  pulse-shm-1883080623  pulse-shm-3653517906  pulse-shm-979569134  tftp>  wdsnbp.com
gentoo shm # echo -e "binary\nrexmt 1\ntimeout 60\ntrace\nput p\n" | tftp 192.168.0.92
tftp> binary
tftp> rexmt 1
tftp> timeout 60
tftp> trace
Packet tracing on.
tftp> put p
*** buffer overflow detected ***: tftp terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7fd4e930dd47]
/lib64/libc.so.6(+0xf7bc0)[0x7fd4e930bbc0]
tftp[0x4020d1]
tftp[0x4025ae]
tftp[0x401c7a]
/lib64/libc.so.6(__libc_start_main+0xed)[0x7fd4e92352fd]
tftp[0x401fd9]
======= Memory map: ========
00400000-00407000 r-xp 00000000 08:03 39012                              /usr/bin/tftp
00606000-00607000 r--p 00006000 08:03 39012                              /usr/bin/tftp
00607000-00608000 rw-p 00007000 08:03 39012                              /usr/bin/tftp
00608000-0066a000 rw-p 00000000 00:00 0                                  [heap]
7fd4e8344000-7fd4e8359000 r-xp 00000000 08:03 2117863                    /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1
7fd4e8359000-7fd4e8558000 ---p 00015000 08:03 2117863                    /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1
7fd4e8558000-7fd4e8559000 r--p 00014000 08:03 2117863                    /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1
7fd4e8559000-7fd4e855a000 rw-p 00015000 08:03 2117863                    /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1
7fd4e855a000-7fd4e8baf000 r--p 00000000 08:03 107790                     /usr/lib64/locale/locale-archive
7fd4e8baf000-7fd4e8bbb000 r-xp 00000000 08:03 665772                     /lib64/libnss_files-2.13.so
7fd4e8bbb000-7fd4e8dba000 ---p 0000c000 08:03 665772                     /lib64/libnss_files-2.13.so
7fd4e8dba000-7fd4e8dbb000 r--p 0000b000 08:03 665772                     /lib64/libnss_files-2.13.so
7fd4e8dbb000-7fd4e8dbc000 rw-p 0000c000 08:03 665772                     /lib64/libnss_files-2.13.so
7fd4e8dbc000-7fd4e8dbe000 r-xp 00000000 08:03 667043                     /lib64/libdl-2.13.so
7fd4e8dbe000-7fd4e8fbe000 ---p 00002000 08:03 667043                     /lib64/libdl-2.13.so
7fd4e8fbe000-7fd4e8fbf000 r--p 00002000 08:03 667043                     /lib64/libdl-2.13.so
7fd4e8fbf000-7fd4e8fc0000 rw-p 00003000 08:03 667043                     /lib64/libdl-2.13.so
7fd4e8fc0000-7fd4e900f000 r-xp 00000000 08:03 665550                     /lib64/libncurses.so.5.9
7fd4e900f000-7fd4e920e000 ---p 0004f000 08:03 665550                     /lib64/libncurses.so.5.9
7fd4e920e000-7fd4e9212000 r--p 0004e000 08:03 665550                     /lib64/libncurses.so.5.9
7fd4e9212000-7fd4e9213000 rw-p 00052000 08:03 665550                     /lib64/libncurses.so.5.9
7fd4e9213000-7fd4e9214000 rw-p 00000000 00:00 0 
7fd4e9214000-7fd4e93a9000 r-xp 00000000 08:03 667052                     /lib64/libc-2.13.so
7fd4e93a9000-7fd4e95a8000 ---p 00195000 08:03 667052                     /lib64/libc-2.13.so
7fd4e95a8000-7fd4e95ac000 r--p 00194000 08:03 667052                     /lib64/libc-2.13.so
7fd4e95ac000-7fd4e95ad000 rw-p 00198000 08:03 667052                     /lib64/libc-2.13.so
7fd4e95ad000-7fd4e95b3000 rw-p 00000000 00:00 0 
7fd4e95b3000-7fd4e95f0000 r-xp 00000000 08:03 665443                     /lib64/libreadline.so.6.2
7fd4e95f0000-7fd4e97f0000 ---p 0003d000 08:03 665443                     /lib64/libreadline.so.6.2
7fd4e97f0000-7fd4e97f2000 r--p 0003d000 08:03 665443                     /lib64/libreadline.so.6.2
7fd4e97f2000-7fd4e97f8000 rw-p 0003f000 08:03 665443                     /lib64/libreadline.so.6.2
7fd4e97f8000-7fd4e97fa000 rw-p 00000000 00:00 0 
7fd4e97fa000-7fd4e981a000 r-xp 00000000 08:03 667051                     /lib64/ld-2.13.so
7fd4e99da000-7fd4e99de000 rw-p 00000000 00:00 0 
7fd4e9a10000-7fd4e9a11000 rw-p 00000000 00:00 0 
7fd4e9a11000-7fd4e9a18000 r--s 00000000 08:03 115386                     /usr/lib64/gconv/gconv-modules.cache
7fd4e9a18000-7fd4e9a1a000 rw-p 00000000 00:00 0 
7fd4e9a1a000-7fd4e9a1b000 r--p 00020000 08:03 667051                     /lib64/ld-2.13.so
7fd4e9a1b000-7fd4e9a1c000 rw-p 00021000 08:03 667051                     /lib64/ld-2.13.so
7fd4e9a1c000-7fd4e9a1d000 rw-p 00000000 00:00 0 
7fff54eb4000-7fff54ed6000 rw-p 00000000 00:00 0                          [stack]
7fff54f3b000-7fff54f3c000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Comment 15 fkhp 2011-07-31 04:32:21 UTC
# emerge --info tftp-hpa
Portage 2.1.10.9 (default/linux/amd64/10.0, gcc-4.6.1, glibc-2.13-r4, 3.0.0-ccs x86_64)
=================================================================
                        System Settings
=================================================================
System uname: Linux-3.0.0-ccs-x86_64-Intel-R-_Core-TM-2_Duo_CPU_T9300_@_2.50GHz-with-gentoo-2.0.3
Timestamp of tree: Sat, 30 Jul 2011 22:00:01 +0000
ccache version 3.1.5 [disabled]
app-shells/bash:          4.2_p10
dev-java/java-config:     2.1.11-r3
dev-lang/python:          2.6.7-r2, 2.7.2-r2, 3.1.3-r1, 3.2-r2
dev-util/ccache:          3.1.5
dev-util/cmake:           2.8.5-r2
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.0.3
sys-apps/openrc:          0.8.3-r1
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.9.6-r3, 1.10.3, 1.11.1-r1
sys-devel/binutils:       2.21.1
sys-devel/gcc:            4.4.5::<unknown repository>, 4.5.2, 4.6.1
sys-devel/gcc-config:     1.5-r1
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r1
sys-kernel/linux-headers: 2.6.38 (virtual/os-headers)
sys-libs/glibc:           2.13-r4
Repositories: gentoo x11 sunrise gentoo-zh vmware local_overlay
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-mtune=core2 -march=core2 -O2 -msse4.1 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.2/ext-active/ /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.2/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.2/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-mtune=core2 -march=core2 -O2 -msse4.1 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs collision-protect distlocks ebuild-locks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS=""
GENTOO_MIRRORS="http://gentoo.netnitco.net/ "
LANG="zh_CN.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="zh_CN en_US zh en"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/dev/shm/"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/x11 /var/lib/layman/sunrise /var/lib/layman/gentoo-zh /var/lib/layman/vmware /usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac accessibility acl acpi alsa amd64 ao apache2 avahi bash-completion berkdb branding bzip2 cairo caps cdr cjk cli clutter consolekit cracklib crypt cups cxx dbus dga djvu dri dts dvd dvdr eds emboss encode evo examples exif fam ffmpeg firefox flac fortran gdbm gdu gif gimp gnome gnome-keyring gphoto2 gpm gstreamer gtk guile i18n iconv icu ipv6 jadetex java jpeg jpeg2k latex lcms ldap libnotify mad midi mikmod mmap mmx mng modules mp3 mp4 mpeg mudflap multilib mysql nas nautilus ncurses networkmanager nfs nls nntp nptl nptlonly nsplugin nvidia ogg opengl openmp pam pango pch pcre pda pdf perl php png policykit ppds pppd pulseaudio python qt3support qt4 readline samba scsi sdl session smp snmp spell sqlite sse sse2 sse3 ssl ssse3 startup-notification suid svg sysfs tcpd threads tiff tk truetype unicode usb v4l2 vim-syntax vorbis x264 xattr xcb xml xmp xorg xulrunner xv xvid xvmc zlib" ALSA_CARDS="ens1370 hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="braindump flow karbon kexi kpresenter krita tables words" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="zh_CN en_US zh en" PHP_TARGETS="php5-3" QEMU_SOFTMMU_TARGETS="x86_64" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="vmwgfx vmwlegacy nouveau nvidia nv vmware vesa svga" XTABLES_ADDONS="cui gfw zhang ipset" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================
                        Package Settings
=================================================================

net-ftp/tftp-hpa-5.1 was built with the following:
USE="ipv6 (multilib) readline tcpd (-selinux)"
Comment 16 fkhp 2011-07-31 04:35:00 UTC
all Available versions:  0.49-r1 (~)5.0 (~)5.1  fɹom ɡentoo failed ː
Comment 17 Tim Sammut (RETIRED) gentoo-dev 2011-10-09 17:30:49 UTC
(In reply to comment #16)
> all Available versions:  0.49-r1 (~)5.0 (~)5.1  fɹom ɡentoo failed ː

fkhp, it does not look like these errors are related to this vulnerability. Please open a new bug if this is a new issue. Thank you.
Comment 18 SpanKY gentoo-dev 2011-10-09 19:19:52 UTC
that is already Bug 375157
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 19:08:47 UTC
This issue was resolved and addressed in
 GLSA 201206-12 at http://security.gentoo.org/glsa/glsa-201206-12.xml
by GLSA coordinator Stefan Behte (craig).
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2012-07-23 19:28:01 UTC
CVE-2011-2199 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2199):
  Buffer overflow in tftp-hpa before 5.1 allows remote attackers to cause a
  denial of service and possibly execute arbitrary code via the utimeout
  option.