First Last Prev Next    This bug is not in your last search results.
Bug 1133114 - (CVE-2019-11365) VUL-0: CVE-2019-11365: atftp: A remote attacker may send a crafted packet triggering a stack-based buffer overflow due to an insecurely implemented strncpy call. The vulnerability is trigger
(CVE-2019-11365)
VUL-0: CVE-2019-11365: atftp: A remote attacker may send a crafted packet tr...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P1 - Urgent : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/230037/
maint:released:sle10-sp3:64272
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-23 14:21 UTC by Marcus Meissner
Modified: 2021-06-25 08:50 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
xx.py (472 bytes, text/x-python)
2019-04-23 14:31 UTC, Marcus Meissner 		Details
Patch (1.37 KB, patch)
2019-04-23 16:39 UTC, Pedro Monreal Gonzalez 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-04-23 14:21:02 UTC 
CVE-2019-11365

An issue was discovered in atftpd in atftp 0.7.1. A remote attacker may send a
crafted packet triggering a stack-based buffer overflow due to an insecurely
implemented strncpy call. The vulnerability is triggered by sending an error
packet of 3 bytes or fewer. There are multiple instances of this vulnerable
strncpy pattern within the code base, specifically within tftpd_file.c,
tftp_file.c, tftpd_mtftp.c, and tftp_mtftp.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11365
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11365.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11365
http://www.cvedetails.com/cve/CVE-2019-11365/
https://pulsesecurity.co.nz/advisories/atftpd-multiple-vulnerabilities
https://sourceforge.net/p/atftp/code/ci/abed7d245d8e8bdfeab24f9f7f55a52c3140f96b/
Comment 1 Marcus Meissner 2019-04-23 14:31:44 UTC 
Created attachment 803417 [details]
xx.py

QA REPRODUCER:

install atftp
gdb atftpd

r --daemon --no-fork --port 69

(should wait)

on another shell on the same host run:

python xx.py  

look if atftp has crashed in gdb.
Comment 2 Marcus Meissner 2019-04-23 14:32:22 UTC 
before:
gdb will go into
Thread 2 "atftpd" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff6b5f700 (LWP 17320)]
0x00007ffff7439775 in __strncpy_sse2_unaligned () from /lib64/libc.so.6
(gdb) bt

something like that.

After it should not get a SEGV.
Comment 3 Pedro Monreal Gonzalez 2019-04-23 16:39:26 UTC 
Created attachment 803429 [details]
Patch

Before:
[New Thread 0x7ffff739e700 (LWP 9781)]

Thread 2 "atftpd" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff739e700 (LWP 9781)]
0x00007ffff74397c5 in __strncpy_sse2_unaligned () from /lib64/libc.so.6

After:
[New Thread 0x7ffff739e700 (LWP 9888)]
[Thread 0x7ffff739e700 (LWP 9888) exited]
Comment 5 Pedro Monreal Gonzalez 2019-04-26 10:14:48 UTC 
Updated also in Factory, see:
https://build.opensuse.org/request/show/698121
Comment 7 Swamp Workflow Management 2019-04-26 15:31:11 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2019-05-03.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64271
Comment 8 Swamp Workflow Management 2019-04-29 16:11:44 UTC 
SUSE-SU-2019:1091-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1133114,1133145
CVE References: CVE-2019-11365,CVE-2019-11366
Sources used:
SUSE OpenStack Cloud 7 (src):    atftp-0.7.0-160.8.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    atftp-0.7.0-160.8.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    atftp-0.7.0-160.8.1
SUSE Linux Enterprise Server 12-SP4 (src):    atftp-0.7.0-160.8.1
SUSE Linux Enterprise Server 12-SP3 (src):    atftp-0.7.0-160.8.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    atftp-0.7.0-160.8.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    atftp-0.7.0-160.8.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    atftp-0.7.0-160.8.1
SUSE Linux Enterprise Server 12-LTSS (src):    atftp-0.7.0-160.8.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    atftp-0.7.0-160.8.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    atftp-0.7.0-160.8.1
SUSE Enterprise Storage 4 (src):    atftp-0.7.0-160.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-04-29 22:12:41 UTC 
SUSE-SU-2019:14033-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1133114,1133145
CVE References: CVE-2019-11365,CVE-2019-11366
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    atftp-0.7.0-135.23.3.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    atftp-0.7.0-135.23.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    atftp-0.7.0-135.23.3.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    atftp-0.7.0-135.23.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Marcus Meissner 2019-07-06 07:58:37 UTC 
released
Comment 11 OBSbugzilla Bot 2021-06-25 08:50:16 UTC 
This is an autogenerated message for OBS integration:
This bug (1133114) was mentioned in
https://build.opensuse.org/request/show/902297 15.3 / atftp
https://build.opensuse.org/request/show/902298 Backports:SLE-15-SP2 / atftp
First Last Prev Next    This bug is not in your last search results.