Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 708436 (CVE-2020-5208) - <sys-apps/ipmitool-1.8.18_p20201004-r1: buffer overflows and potentially remote code execution (CVE-2020-5208)
Summary: <sys-apps/ipmitool-1.8.18_p20201004-r1: buffer overflows and potentially remo...
Status: RESOLVED FIXED
Alias: CVE-2020-5208
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://github.com/ipmitool/ipmitool/...
Whiteboard: B1 [glsa+ cve]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2020-02-06 00:21 UTC by filip ambroz
Modified: 2021-01-10 09:24 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-02-06 00:21:19 UTC
from URL:

*Impact

It's been found that multiple functions in ipmitool 1.8.18 neglect proper checking of the data received from a remote LAN party, which may lead to buffer overflows and potentially to remote code execution on the ipmitool side. This is especially dangerous if ipmitool is run as a privileged user.

All users of ipmitool are potentially affected.

*Patches

Version 1.8.19 will have this problem fixed.

*Workarounds

There are no workarounds to completely remediate the vulnerability, but possibility of it being exploited can be significantly lowered by:

- Not running ipmitool as a privileged user
- Not running ipmitool over demilitarized network or against untrusted IPMI-enabled devices
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-02-06 18:12:22 UTC
It's not just a single patch, it's a whole series of them and they depend on other commits post 1.8.18.

I'm not sure of upstream's release schedule for 1.8.19 yet, punting to wait for upstream.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 01:44:58 UTC
CVE-2020-5208 (https://nvd.nist.gov/vuln/detail/CVE-2020-5208):
  It's been found that multiple functions in ipmitool before 1.8.19 neglect
  proper checking of the data received from a remote LAN party, which may lead
  to buffer overflows and potentially to remote code execution on the ipmitool
  side. This is especially dangerous if ipmitool is run as a privileged user.
  This problem is fixed in version 1.8.19.
Comment 4 Sam James archtester gentoo-dev Security 2020-04-17 01:45:47 UTC
(In reply to Robin Johnson from comment #2)
> It's not just a single patch, it's a whole series of them and they depend on
> other commits post 1.8.18.
> 
> I'm not sure of upstream's release schedule for 1.8.19 yet, punting to wait
> for upstream.

No problem. Obviously let us know when they release .19 if we don't catch it ourselves. Thanks as always.
Comment 5 Larry the Git Cow gentoo-dev 2020-10-21 22:09:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=354053fecd502788f67e9d432c0985f3ab724c79

commit 354053fecd502788f67e9d432c0985f3ab724c79
Author:     Robin H. Johnson <robbat2@gentoo.org>
AuthorDate: 2020-10-21 22:08:51 +0000
Commit:     Robin H. Johnson <robbat2@gentoo.org>
CommitDate: 2020-10-21 22:09:13 +0000

    sys-apps/ipmitool: snapshot upstream for CVE
    
    Upstream has still made a new release since 2016/10/08; including the
    promised 1.8.19 per their own security advisory on 2020/02/04.
    
    Capture the latest upstream state as a snapshot release, and port the
    Debian patchset to it, as the Debian patchset contains other updates &
    CVE fixes rejected by upstream.
    
    Reference: https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
    Bug: https://bugs.gentoo.org/708436
    Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>

 sys-apps/ipmitool/Manifest                         |   4 +
 sys-apps/ipmitool/ipmitool-1.8.18-r2.ebuild        |  96 ++++++++++++++
 sys-apps/ipmitool/ipmitool-1.8.18_p20201004.ebuild | 145 +++++++++++++++++++++
 3 files changed, 245 insertions(+)
Comment 6 John Helmert III (ajak) 2020-10-22 01:11:43 UTC
Thanks! Please proceed with stabilization when ready.
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-10-24 20:35:08 UTC
stable-arches: amd64, hppa, ppc, x86

arches, please compile-test and stabilize sys-apps/ipmitool_p20201004

If you have IPMI hardware, you can also test with it, but that shouldn't hold up the rest of this.
Comment 8 NATTkA bot gentoo-dev 2020-10-24 20:37:01 UTC
Unable to check for sanity:

> disallowed package spec (only = allowed): sys-apps/ipmitool_p20201004
Comment 9 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-10-24 21:57:34 UTC
arches:
sys-apps/ipmitool_p20201004-r1 for stablereq
sys-apps/ipmitool_p20201004-r2 adds more tooling from contrib/
Comment 10 NATTkA bot gentoo-dev 2020-10-24 22:02:13 UTC
Unable to check for sanity:

> disallowed package spec (only = allowed): sys-apps/ipmitool_p20201004-r1
Comment 11 NATTkA bot gentoo-dev 2020-10-25 21:33:09 UTC
Sanity check failed:

> sys-apps/ipmitool-1.8.18_p20201004-r1
>   depend hppa stable profile default/linux/hppa/17.0 (3 total)
>     sys-apps/systemd:0=
>   rdepend hppa stable profile default/linux/hppa/17.0 (3 total)
>     sys-apps/systemd:0=
Comment 12 Thomas Deutschmann gentoo-dev Security 2020-10-25 23:09:04 UTC
x86 stable
Comment 13 Sergei Trofimovich gentoo-dev 2020-10-27 08:12:42 UTC
ppc stable
Comment 14 NATTkA bot gentoo-dev 2020-10-27 22:33:04 UTC
Sanity check failed:

> sys-apps/ipmitool-1.8.18_p20201004-r1
>   depend hppa stable profile default/linux/hppa/17.0 (3 total)
>     sys-apps/systemd:0=
>   rdepend hppa stable profile default/linux/hppa/17.0 (3 total)
>     sys-apps/systemd:0=
Comment 15 Sam James archtester gentoo-dev Security 2020-11-06 20:25:00 UTC
amd64 done
Comment 16 Sergei Trofimovich gentoo-dev 2020-11-14 19:32:26 UTC
hppa stable
Comment 17 John Helmert III (ajak) 2020-11-14 20:41:57 UTC
Maintainers, please cleanup
Comment 18 Larry the Git Cow gentoo-dev 2020-12-29 20:46:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=989d26c6ff9f0298eba4b09df237862cf9509af8

commit 989d26c6ff9f0298eba4b09df237862cf9509af8
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-12-27 08:36:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-12-29 20:46:35 +0000

    sys-apps/ipmitool: security cleanup (drop <1.8.18_p20201004-r1)
    
    Bug: https://bugs.gentoo.org/708436
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/18827
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-apps/ipmitool/Manifest                  |  3 -
 sys-apps/ipmitool/ipmitool-1.8.18-r1.ebuild | 89 --------------------------
 sys-apps/ipmitool/ipmitool-1.8.18-r2.ebuild | 96 -----------------------------
 3 files changed, 188 deletions(-)
Comment 19 Sam James archtester gentoo-dev Security 2020-12-29 20:47:46 UTC
Tree clean, GLSA request already filed.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2021-01-10 09:24:14 UTC
This issue was resolved and addressed in
 GLSA 202101-03 at https://security.gentoo.org/glsa/202101-03
by GLSA coordinator Sam James (sam_c).