Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 813079 (CVE-2021-41054) - <net-ftp/atftp-0.7.5: buffer overflow (CVE-2021-41054)
Summary: <net-ftp/atftp-0.7.5: buffer overflow (CVE-2021-41054)
Status: IN_PROGRESS
Alias: CVE-2021-41054
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://sourceforge.net/p/atftp/code/...
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 814803
Blocks:
  Show dependency tree
 
Reported: 2021-09-14 19:37 UTC by John Helmert III
Modified: 2021-10-02 13:15 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-09-14 19:37:28 UTC
CVE-2021-41054:

tftpd_file.c in atftp through 0.7.4 has a buffer overflow because buffer-size handling does not properly consider the combination of data, OACK, and other options.


Please remember to file security bugs if there are security issues in your
packages!
Comment 1 Martin Dummer 2021-09-14 19:41:02 UTC
Hi, did not know that.

There is already a github PR for this:
https://github.com/gentoo/gentoo/pull/22287
Comment 2 Larry the Git Cow gentoo-dev 2021-09-14 20:15:27 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3434fdb7c1eba3721771dece9523b70d9775bbe1

commit 3434fdb7c1eba3721771dece9523b70d9775bbe1
Author:     Martin Dummer <martin.dummer@gmx.net>
AuthorDate: 2021-09-13 23:27:44 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2021-09-14 20:15:04 +0000

    net-ftp/atftp: version bump to 0.7.5
    
    Version 0.7.5 (Bugfix, Security Fix Release)
    
    fix many bugs, fix denial-of-service buffer overflow CVE-2021-41054
    new feature: add an option to prevent the Sorcerer's Apprentice Syndrome
    
    Closes: https://bugs.gentoo.org/813079
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Martin Dummer <martin.dummer@gmx.net>
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 net-ftp/atftp/Manifest                       |  1 +
 net-ftp/atftp/atftp-0.7.5.ebuild             | 66 ++++++++++++++++++++++++++++
 net-ftp/atftp/files/atftp-0.7.5-CFLAGS.patch | 32 ++++++++++++++
 3 files changed, 99 insertions(+)
Comment 3 John Helmert III gentoo-dev Security 2021-09-15 19:22:02 UTC
(In reply to Martin Dummer from comment #1)
> Hi, did not know that.
> 
> There is already a github PR for this:
> https://github.com/gentoo/gentoo/pull/22287

No worries and thanks! Please file a stablereq to block this bug when ready.
Comment 4 John Helmert III gentoo-dev Security 2021-09-25 14:21:15 UTC
Stablereq can be a dependency, we want to be notified when the stablereq is finished. Not sure if bugzie notifies us when a see also'd bug is finished.
Comment 5 John Helmert III gentoo-dev Security 2021-10-02 01:27:42 UTC
Please cleanup.
Comment 6 Larry the Git Cow gentoo-dev 2021-10-02 09:22:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99b10149133d44a4e5c41905c8f88427c10bc6a6

commit 99b10149133d44a4e5c41905c8f88427c10bc6a6
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2021-10-02 09:22:27 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2021-10-02 09:22:38 +0000

    net-ftp/atftp: Remove old (vulnerable) v0.7.4
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=813079
    Package-Manager: Portage-3.0.23, Repoman-3.0.3
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 net-ftp/atftp/Manifest           |  1 -
 net-ftp/atftp/atftp-0.7.4.ebuild | 66 ----------------------------------------
 2 files changed, 67 deletions(-)