Your message dated Thu, 15 May 2025 13:50:10 +0000
with message-id <e1ufyyq-002wu4...@fasolo.debian.org>
and subject line Bug#1105806: fixed in net-tools 2.10-1.2
has caused the Debian Bug report #1105806,
regarding net-tools: CVE-2025-46836
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1105806: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105806
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: net-tools
Version: 2.10-1.1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for net-tools.
CVE-2025-46836[0]:
| net-tools is a collection of programs that form the base set of the
| NET-3 networking distribution for the Linux operating system. Inn
| versions up to and including 2.10, the Linux network utilities (like
| ifconfig) from the net-tools package do not properly validate the
| structure of /proc files when showing interfaces. `get_name()` in
| `interface.c` copies interface labels from `/proc/net/dev` into a
| fixed 16-byte stack buffer without bounds checking, leading to
| possible arbitrary code execution or crash. The known attack path
| does not require privilege but also does not provide privilege
| escalation in this scenario. A patch is available and expected to be
| part of version 2.20.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-46836
https://www.cve.org/CVERecord?id=CVE-2025-46836
[1] https://github.com/ecki/net-tools/security/advisories/GHSA-pfwf-h6m3-63wf
[2]
https://github.com/ecki/net-tools/commit/7a8f42fb20013a1493d8cae1c43436f85e656f2d
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: net-tools
Source-Version: 2.10-1.2
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
net-tools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1105...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated net-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 15 May 2025 05:43:50 +0200
Source: net-tools
Architecture: source
Version: 2.10-1.2
Distribution: unstable
Urgency: medium
Maintainer: net-tools Team <team+net-to...@tracker.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1105806
Changes:
net-tools (2.10-1.2) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2025-46836: interface.c: Stack-based Buffer Overflow in get_name()
(Closes: #1105806)
Checksums-Sha1:
58b1cd30e9c2deb7d7ad5074ac2986cd7c58802c 2123 net-tools_2.10-1.2.dsc
da24741a93ea17dd2121dc3c4372e85e0f077b7d 57500 net-tools_2.10-1.2.debian.tar.xz
Checksums-Sha256:
dcccf29d844549400f1f16eee42822322afa6a7cbf649b800187b4d5e8907099 2123
net-tools_2.10-1.2.dsc
558c1e43eb3c27d335a2fb2390bf3cc0105805966d7f91139228a65997de5ee0 57500
net-tools_2.10-1.2.debian.tar.xz
Files:
24bfda2a304e11b1e360c2b9205ab2f6 2123 net important net-tools_2.10-1.2.dsc
03a177f2f4c6ff2126e5bea77d575fca 57500 net important
net-tools_2.10-1.2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmglY7dfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ea4wQAJbD7S4JGFrsuy6p7szJJZR2vXCKK50w
FN9OymClAnUKWA9Kj92HKYVAcEF8ponoX0qXxAioEGQ2ZqbU96AOa5Tvhy4g6TNo
qUH30S/OjCbqO+mc43qnlDw5kj2clUTpYV9y8ngUdjdqb4+Nkb862Y+fPNV4xkoN
3XSDchGJEtd9NUJlRTtvhZB/Jxj12zxiHwXwzbbPvzNSTiixXVgc7GYQDrw2GIQ4
+zYLYdadPkpyMYdCx+wwdh18PfyS7vf0IETE+ZQWp82Vl9B0GSt9L6luAo734p77
gnmmR+F0RyVy2lweoLJ8urzXPX5iD8o0MGhStvNb89Ep+ajP6QX1aCNCni91DL0p
cgs1M4bhK2kxvIDVQJ6+JEPq1P4dAvMm7xfzybg6ndBH5MvkZiziqof98ff7bXJ6
AaE3S7bhk34s6nGj6a8f4KQJbrqICCZ64zrKV1UDxbON//E3ko7BKHlOrZyQy9IE
eQYv60hZJ2Vhg+s4zMj92/mxw2a1Xz3NsafF864zvUbvV/LGLJEhM3wDSuNFl2Ax
VDAXURUJ9qNylF5cw6/yHg5BDQ0XsncidoTKjBTTCpsB4apd9e6HCpi5u88ybCk7
U+Xl+5erA5dQpZiyk6Y6xrFkGfzcAW6wBex9F/zekwPI6h4cMPQowfsM0a6H9nmH
3G/zU/fNECsw
=iyXv
-----END PGP SIGNATURE-----
pgpH1AfRLZcgp.pgp
Description: PGP signature
--- End Message ---
