Your message dated Fri, 16 May 2025 18:38:38 +0000
with message-id <e1ufzx8-005ban...@respighi.debian.org>
and subject line unblock net-tools
has caused the Debian Bug report #1105890,
regarding unblock: net-tools/2.10-1.2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1105890: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105890
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: net-to...@packages.debian.org, Martina Ferrari <t...@debian.org>,
Utkarsh Gupta <utka...@debian.org>, car...@debian.org
Control: affects -1 + src:net-tools
User: release.debian....@packages.debian.org
Usertags: unblock
Dear release team,
Please unblock package net-tools
[ Reason ]
Fixing a stack-based bufferoverflow in get_name() from
lib/interface.c. Utilities (for instance ifconfig) does not proerly
validate data from /proc, get_name() copies the interface labels from
/proc/net/dev into a fixed size stack buffer without further bound
checking.
[ Impact ]
Crash of tools from net-tools but might lead to arbitrary execution of
code (to remove the privilege escalation path one might disable
unpriv. usernamespaces as mitigation)
[ Tests ]
Basic local tests only.
[ Risks ]
Patch comes directly from upstream and acked by the reporter upstream.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
Nothing else to mention.
Regards,
Salvatore
diff -Nru net-tools-2.10/debian/changelog net-tools-2.10/debian/changelog
--- net-tools-2.10/debian/changelog 2024-04-22 01:55:29.000000000 +0200
+++ net-tools-2.10/debian/changelog 2025-05-15 05:43:50.000000000 +0200
@@ -1,3 +1,11 @@
+net-tools (2.10-1.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2025-46836: interface.c: Stack-based Buffer Overflow in get_name()
+ (Closes: #1105806)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Thu, 15 May 2025 05:43:50 +0200
+
net-tools (2.10-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru
net-tools-2.10/debian/patches/CVE-2025-46836-interface.c-Stack-based-Buffer-Overfl.patch
net-tools-2.10/debian/patches/CVE-2025-46836-interface.c-Stack-based-Buffer-Overfl.patch
---
net-tools-2.10/debian/patches/CVE-2025-46836-interface.c-Stack-based-Buffer-Overfl.patch
1970-01-01 01:00:00.000000000 +0100
+++
net-tools-2.10/debian/patches/CVE-2025-46836-interface.c-Stack-based-Buffer-Overfl.patch
2025-05-15 05:43:50.000000000 +0200
@@ -0,0 +1,92 @@
+From: Zephkeks <zephyrofficialdisc...@gmail.com>
+Date: Tue, 13 May 2025 11:04:17 +0200
+Subject: CVE-2025-46836: interface.c: Stack-based Buffer Overflow in
+ get_name()
+Origin:
https://github.com/ecki/net-tools/commit/7a8f42fb20013a1493d8cae1c43436f85e656f2d
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-46836
+Bug-Debian: https://bugs.debian.org/1105806
+
+Coordinated as GHSA-pfwf-h6m3-63wf
+---
+ lib/interface.c | 63 ++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 39 insertions(+), 24 deletions(-)
+
+diff --git a/lib/interface.c b/lib/interface.c
+index 71d4163ac36f..a054f126e2f1 100644
+--- a/lib/interface.c
++++ b/lib/interface.c
+@@ -211,32 +211,47 @@ out:
+ }
+
+ static const char *get_name(char *name, const char *p)
++/* Safe version — guarantees at most IFNAMSIZ‑1 bytes are copied
++ and the destination buffer is always NUL‑terminated. */
+ {
+- while (isspace(*p))
+- p++;
+- while (*p) {
+- if (isspace(*p))
+- break;
+- if (*p == ':') { /* could be an alias */
+- const char *dot = p++;
+- while (*p && isdigit(*p)) p++;
+- if (*p == ':') {
+- /* Yes it is, backup and copy it. */
+- p = dot;
+- *name++ = *p++;
+- while (*p && isdigit(*p)) {
+- *name++ = *p++;
+- }
+- } else {
+- /* No, it isn't */
+- p = dot;
+- }
+- p++;
+- break;
+- }
+- *name++ = *p++;
++ char *dst = name; /* current write ptr */
++ const char *end = name + IFNAMSIZ - 1; /* last byte we may write */
++
++ /* Skip leading white‑space. */
++ while (isspace((unsigned char)*p))
++ ++p;
++
++ /* Copy until white‑space, end of string, or buffer full. */
++ while (*p && !isspace((unsigned char)*p) && dst < end) {
++ if (*p == ':') { /* possible alias veth0:123: */
++ const char *dot = p; /* remember the colon */
++ ++p;
++ while (*p && isdigit((unsigned char)*p))
++ ++p;
++
++ if (*p == ':') { /* confirmed alias */
++ p = dot; /* rewind and copy it all */
++
++ /* copy the colon */
++ if (dst < end)
++ *dst++ = *p++;
++
++ /* copy the digits */
++ while (*p && isdigit((unsigned char)*p) && dst < end)
++ *dst++ = *p++;
++
++ if (*p == ':') /* consume trailing colon */
++ ++p;
++ } else { /* if so treat as normal */
++ p = dot;
++ }
++ break; /* interface name ends here */
++ }
++
++ *dst++ = *p++; /* ordinary character copy */
+ }
+- *name++ = '\0';
++
++ *dst = '\0'; /* always NUL‑terminate */
+ return p;
+ }
+
+--
+2.49.0
+
diff -Nru net-tools-2.10/debian/patches/series
net-tools-2.10/debian/patches/series
--- net-tools-2.10/debian/patches/series 2023-11-23 15:37:17.000000000
+0100
+++ net-tools-2.10/debian/patches/series 2025-05-15 05:43:50.000000000
+0200
@@ -3,3 +3,4 @@
Add_missing_headers.patch
Bug_900962-man-de-typos.patch
Bug_549397-fix-decoding-of-MII-vendor-ids.patch
+CVE-2025-46836-interface.c-Stack-based-Buffer-Overfl.patch
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
