Bug#1105890: unblock: net-tools/2.10-1.2

Fri, 16 May 2025 09:24:18 -0700 

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: net-to...@packages.debian.org, Martina Ferrari <t...@debian.org>, 
Utkarsh Gupta <utka...@debian.org>, car...@debian.org
Control: affects -1 + src:net-tools
User: release.debian....@packages.debian.org
Usertags: unblock

Dear release team,

Please unblock package net-tools

[ Reason ]
Fixing a stack-based bufferoverflow in get_name() from
lib/interface.c. Utilities (for instance ifconfig) does not proerly
validate data from /proc, get_name() copies the interface labels from
/proc/net/dev into a fixed size stack buffer without further bound
checking.

[ Impact ]
Crash of tools from net-tools but might lead to arbitrary execution of
code (to remove the privilege escalation path one might disable
unpriv. usernamespaces as mitigation)

[ Tests ]
Basic local tests only.

[ Risks ]
Patch comes directly from upstream and acked by the reporter upstream.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
Nothing else to mention.

Regards,
Salvatore

diff -Nru net-tools-2.10/debian/changelog net-tools-2.10/debian/changelog
--- net-tools-2.10/debian/changelog     2024-04-22 01:55:29.000000000 +0200
+++ net-tools-2.10/debian/changelog     2025-05-15 05:43:50.000000000 +0200
@@ -1,3 +1,11 @@
+net-tools (2.10-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-46836: interface.c: Stack-based Buffer Overflow in get_name()
+    (Closes: #1105806)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Thu, 15 May 2025 05:43:50 +0200
+
 net-tools (2.10-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru 
net-tools-2.10/debian/patches/CVE-2025-46836-interface.c-Stack-based-Buffer-Overfl.patch
 
net-tools-2.10/debian/patches/CVE-2025-46836-interface.c-Stack-based-Buffer-Overfl.patch
--- 
net-tools-2.10/debian/patches/CVE-2025-46836-interface.c-Stack-based-Buffer-Overfl.patch
    1970-01-01 01:00:00.000000000 +0100
+++ 
net-tools-2.10/debian/patches/CVE-2025-46836-interface.c-Stack-based-Buffer-Overfl.patch
    2025-05-15 05:43:50.000000000 +0200
@@ -0,0 +1,92 @@
+From: Zephkeks <zephyrofficialdisc...@gmail.com>
+Date: Tue, 13 May 2025 11:04:17 +0200
+Subject: CVE-2025-46836: interface.c: Stack-based Buffer Overflow in
+ get_name()
+Origin: 
https://github.com/ecki/net-tools/commit/7a8f42fb20013a1493d8cae1c43436f85e656f2d
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-46836
+Bug-Debian: https://bugs.debian.org/1105806
+
+Coordinated as GHSA-pfwf-h6m3-63wf
+---
+ lib/interface.c | 63 ++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 39 insertions(+), 24 deletions(-)
+
+diff --git a/lib/interface.c b/lib/interface.c
+index 71d4163ac36f..a054f126e2f1 100644
+--- a/lib/interface.c
++++ b/lib/interface.c
+@@ -211,32 +211,47 @@ out:
+ }
+ 
+ static const char *get_name(char *name, const char *p)
++/* Safe version — guarantees at most IFNAMSIZ‑1 bytes are copied
++   and the destination buffer is always NUL‑terminated.             */
+ {
+-    while (isspace(*p))
+-      p++;
+-    while (*p) {
+-      if (isspace(*p))
+-          break;
+-      if (*p == ':') {        /* could be an alias */
+-              const char *dot = p++;
+-              while (*p && isdigit(*p)) p++;
+-              if (*p == ':') {
+-                      /* Yes it is, backup and copy it. */
+-                      p = dot;
+-                      *name++ = *p++;
+-                      while (*p && isdigit(*p)) {
+-                              *name++ = *p++;
+-                      }
+-              } else {
+-                      /* No, it isn't */
+-                      p = dot;
+-          }
+-          p++;
+-          break;
+-      }
+-      *name++ = *p++;
++    char       *dst = name;                 /* current write ptr          */
++    const char *end = name + IFNAMSIZ - 1;  /* last byte we may write     */
++
++    /* Skip leading white‑space. */
++    while (isspace((unsigned char)*p))
++        ++p;
++
++    /* Copy until white‑space, end of string, or buffer full. */
++    while (*p && !isspace((unsigned char)*p) && dst < end) {
++        if (*p == ':') {                    /* possible alias veth0:123:  */
++            const char *dot = p;            /* remember the colon         */
++            ++p;
++            while (*p && isdigit((unsigned char)*p))
++                ++p;
++
++            if (*p == ':') {                /* confirmed alias            */
++                p = dot;                    /* rewind and copy it all     */
++
++                /* copy the colon */
++                if (dst < end)
++                    *dst++ = *p++;
++
++                /* copy the digits */
++                while (*p && isdigit((unsigned char)*p) && dst < end)
++                    *dst++ = *p++;
++
++                if (*p == ':')              /* consume trailing colon     */
++                    ++p;
++            } else {              /* if so treat as normal */
++                p = dot;
++            }
++            break;                          /* interface name ends here   */
++        }
++
++        *dst++ = *p++;                      /* ordinary character copy    */
+     }
+-    *name++ = '\0';
++
++    *dst = '\0';                            /* always NUL‑terminate       */
+     return p;
+ }
+ 
+-- 
+2.49.0
+
diff -Nru net-tools-2.10/debian/patches/series 
net-tools-2.10/debian/patches/series
--- net-tools-2.10/debian/patches/series        2023-11-23 15:37:17.000000000 
+0100
+++ net-tools-2.10/debian/patches/series        2025-05-15 05:43:50.000000000 
+0200
@@ -3,3 +3,4 @@
 Add_missing_headers.patch
 Bug_900962-man-de-typos.patch
 Bug_549397-fix-decoding-of-MII-vendor-ids.patch
+CVE-2025-46836-interface.c-Stack-based-Buffer-Overfl.patch

Reply via email to