Your message dated Sun, 18 May 2025 20:40:24 +0000
with message-id <e1ugko4-000kdm...@fasolo.debian.org>
and subject line Bug#1105806: fixed in net-tools 2.10-0.1+deb12u1
has caused the Debian Bug report #1105806,
regarding net-tools: CVE-2025-46836
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1105806: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105806
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: net-tools
Version: 2.10-1.1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for net-tools.
CVE-2025-46836[0]:
| net-tools is a collection of programs that form the base set of the
| NET-3 networking distribution for the Linux operating system. Inn
| versions up to and including 2.10, the Linux network utilities (like
| ifconfig) from the net-tools package do not properly validate the
| structure of /proc files when showing interfaces. `get_name()` in
| `interface.c` copies interface labels from `/proc/net/dev` into a
| fixed 16-byte stack buffer without bounds checking, leading to
| possible arbitrary code execution or crash. The known attack path
| does not require privilege but also does not provide privilege
| escalation in this scenario. A patch is available and expected to be
| part of version 2.20.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-46836
https://www.cve.org/CVERecord?id=CVE-2025-46836
[1] https://github.com/ecki/net-tools/security/advisories/GHSA-pfwf-h6m3-63wf
[2]
https://github.com/ecki/net-tools/commit/7a8f42fb20013a1493d8cae1c43436f85e656f2d
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: net-tools
Source-Version: 2.10-0.1+deb12u1
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
net-tools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1105...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated net-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 15 May 2025 05:52:03 +0200
Source: net-tools
Architecture: source
Version: 2.10-0.1+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: net-tools Team <team+net-to...@tracker.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1105806
Changes:
net-tools (2.10-0.1+deb12u1) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2025-46836: interface.c: Stack-based Buffer Overflow in get_name()
(Closes: #1105806)
Checksums-Sha1:
a160d29de8c51bea449593061b02d414e845d73f 2155 net-tools_2.10-0.1+deb12u1.dsc
4080baab0486dc882c3b293d5559c27251ae4268 229616 net-tools_2.10.orig.tar.xz
676825dfdb5cee151659be9a7db8671936aa5ccf 57464
net-tools_2.10-0.1+deb12u1.debian.tar.xz
Checksums-Sha256:
274ce1428ad99c42e131005d32d5818a8c345663f9ffe7b399d57f715eb80fad 2155
net-tools_2.10-0.1+deb12u1.dsc
b262435a5241e89bfa51c3cabd5133753952f7a7b7b93f32e08cb9d96f580d69 229616
net-tools_2.10.orig.tar.xz
7a3a2a4c80187cf00e96ee336b66ee9b6dff638be969d957ce822727fe35bd40 57464
net-tools_2.10-0.1+deb12u1.debian.tar.xz
Files:
c9f7993ffa6e3b1c7a5791b8a7a14c6a 2155 net important
net-tools_2.10-0.1+deb12u1.dsc
78aae762c95e2d731faf88d482e4cde5 229616 net important
net-tools_2.10.orig.tar.xz
17108dd6059ec87ededb7ecef2da3a42 57464 net important
net-tools_2.10-0.1+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmglZgpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Emd8P/0I9g/yFW49n6+1SSTVvJ6rFpAmplcco
/2QGOGkXFBsHl8EOuCCbVS+HwyxW6FDZW/yU7qL1TtZrHlx5gONwddNzDD5y/uWg
63RHCwXOfvguaClSABH8Lsfp3tiL1XXjLjgo1t5rEYvOTE2rr0CsqrqCcqjkjQUG
I3RGc5bkE3IhP+7YdUq3iP8qikWtKPc4Lf0VGYqq9n7p0Cke5UEZEeg1XTLQK2wE
T27YlmWyhN112sz7b+CR4UxeFgjb8nPUCfIYM6uiUIPJLEYY0MxIo32yXcgsYKSl
svdCsmJt5R2TDbGQF7xPtM72Mnf4v6neWI3/plyoxbQTMGfX0tjDcx/7VEQzgUQH
BO3Gk1xXiHf+Dp17B881JQOAeO2Ctp3FHaauGRI6u/hAT6nkHtQETutPQTUDwMYf
8xoA6F4C62iEpu7kSM++13zQlB/gQKZhZad4tS9FvcFNhFBttocpxCa9RkCInCiW
LL5ObHFVsVSeaubKsPnI3IvdUil5Lan0Y1g/44oaW2CgZZQGQObP4NBZ4Y2ESw8c
uM/Pe7+j1b3/asj63Zb+2EAjIg3x6O4xGdwfJL2SL8xCFO08LqR2jSXnIi5WjAR2
ivDmHEzVvp4poNfpDMLicG3uOuegDQFjn/WVsSkdB7bBKG/Oc1ZMY4J2CJYzW3ZX
mettoF0kFjBX
=BjR0
-----END PGP SIGNATURE-----
pgpI2Fx11P6I8.pgp
Description: PGP signature
--- End Message ---
