Version in base suite: 2.10-0.1 Version in overlay suite: 2.10-0.1+deb12u1 Base version: net-tools_2.10-0.1+deb12u1 Target version: net-tools_2.10-0.1+deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/net-tools/net-tools_2.10-0.1+deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/net-tools/net-tools_2.10-0.1+deb12u2.dsc changelog | 10 + patches/Interface-statistic-regression-after-7a8f42fb2.patch | 32 ++++ patches/ipmaddr.c-Stack-based-buffer-Overflow-in-parse_hex.patch | 56 ++++++++ patches/proc.c-Stack-based-Buffer-Overflow-in-net-tools-proc.patch | 68 ++++++++++ patches/series | 3 5 files changed, 169 insertions(+) diff -Nru net-tools-2.10/debian/changelog net-tools-2.10/debian/changelog --- net-tools-2.10/debian/changelog 2025-05-15 03:52:03.000000000 +0000 +++ net-tools-2.10/debian/changelog 2025-05-26 19:27:23.000000000 +0000 @@ -1,3 +1,13 @@ +net-tools (2.10-0.1+deb12u2) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * ipmaddr.c: Stack-based buffer Overflow in parse_hex() + * Fix interface statistic regression. + Thanks to Christian Herzog for the report (Closes: #1106147) + * proc.c: Stack-based Buffer Overflow in net-tools (proc_gen_fmt) + + -- Salvatore Bonaccorso Mon, 26 May 2025 21:27:23 +0200 + net-tools (2.10-0.1+deb12u1) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru net-tools-2.10/debian/patches/Interface-statistic-regression-after-7a8f42fb2.patch net-tools-2.10/debian/patches/Interface-statistic-regression-after-7a8f42fb2.patch --- net-tools-2.10/debian/patches/Interface-statistic-regression-after-7a8f42fb2.patch 1970-01-01 00:00:00.000000000 +0000 +++ net-tools-2.10/debian/patches/Interface-statistic-regression-after-7a8f42fb2.patch 2025-05-26 19:27:23.000000000 +0000 @@ -0,0 +1,32 @@ +From: Bernd Eckenfels +Date: Sat, 17 May 2025 21:53:23 +0200 +Subject: Interface statistic regression after 7a8f42fb2 +Origin: https://github.com/ecki/net-tools/commit/ddb0e375fb9ca95bb69335540b85bbdaa2714348 +Bug-Debian: https://bugs.debian.org/1106147 + +--- + lib/interface.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/lib/interface.c b/lib/interface.c +index a054f126e2f1..ca4adf1a9a53 100644 +--- a/lib/interface.c ++++ b/lib/interface.c +@@ -239,12 +239,11 @@ static const char *get_name(char *name, const char *p) + /* copy the digits */ + while (*p && isdigit((unsigned char)*p) && dst < end) + *dst++ = *p++; +- +- if (*p == ':') /* consume trailing colon */ +- ++p; + } else { /* if so treat as normal */ + p = dot; + } ++ if (*p == ':') /* consume trailing colon */ ++ ++p; + break; /* interface name ends here */ + } + +-- +2.49.0 + diff -Nru net-tools-2.10/debian/patches/ipmaddr.c-Stack-based-buffer-Overflow-in-parse_hex.patch net-tools-2.10/debian/patches/ipmaddr.c-Stack-based-buffer-Overflow-in-parse_hex.patch --- net-tools-2.10/debian/patches/ipmaddr.c-Stack-based-buffer-Overflow-in-parse_hex.patch 1970-01-01 00:00:00.000000000 +0000 +++ net-tools-2.10/debian/patches/ipmaddr.c-Stack-based-buffer-Overflow-in-parse_hex.patch 2025-05-26 19:27:23.000000000 +0000 @@ -0,0 +1,56 @@ +From: Bernd Eckenfels +Date: Sat, 17 May 2025 21:11:07 +0200 +Subject: ipmaddr.c: Stack-based buffer Overflow in parse_hex() +Origin: https://github.com/ecki/net-tools/commit/a7926399a04ee8e629a02a2aeb6de1952d42d559 + +Coordinated as GHSA-h667-qrp8-gj58. +--- + ipmaddr.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/ipmaddr.c b/ipmaddr.c +index 64b7564372ea..623fadd4f09d 100644 +--- a/ipmaddr.c ++++ b/ipmaddr.c +@@ -91,17 +91,17 @@ static int parse_lla(char *str, char *addr) + return len; + } + +-static int parse_hex(char *str, unsigned char *addr) ++static int parse_hex(char *str, unsigned char *dst, size_t dstlen) + { + int len=0; + +- while (*str) { ++ while (len < dstlen && *str) { + int tmp; + if (str[1] == 0) + return -1; + if (sscanf(str, "%02x", &tmp) != 1) + return -1; +- addr[len] = tmp; ++ dst[len] = tmp; + len++; + str += 2; + } +@@ -152,7 +152,7 @@ void read_dev_mcast(struct ma_info **result_p) + + m.addr.family = AF_PACKET; + +- len = parse_hex(hexa, (unsigned char*)&m.addr.data); ++ len = parse_hex(hexa, (unsigned char*)&m.addr.data, sizeof(m.addr.data)); + if (len >= 0) { + struct ma_info *ma = xmalloc(sizeof(m)); + memcpy(ma, &m, sizeof(m)); +@@ -222,7 +222,7 @@ void read_igmp6(struct ma_info **result_p) + + m.addr.family = AF_INET6; + +- len = parse_hex(hexa, (unsigned char*)&m.addr.data); ++ len = parse_hex(hexa, (unsigned char*)&m.addr.data, sizeof(m.addr.data)); + if (len >= 0) { + struct ma_info *ma = xmalloc(sizeof(m)); + memcpy(ma, &m, sizeof(m)); +-- +2.49.0 + diff -Nru net-tools-2.10/debian/patches/proc.c-Stack-based-Buffer-Overflow-in-net-tools-proc.patch net-tools-2.10/debian/patches/proc.c-Stack-based-Buffer-Overflow-in-net-tools-proc.patch --- net-tools-2.10/debian/patches/proc.c-Stack-based-Buffer-Overflow-in-net-tools-proc.patch 1970-01-01 00:00:00.000000000 +0000 +++ net-tools-2.10/debian/patches/proc.c-Stack-based-Buffer-Overflow-in-net-tools-proc.patch 2025-05-26 19:27:23.000000000 +0000 @@ -0,0 +1,68 @@ +From: Zephkeks +Date: Sat, 17 May 2025 22:11:37 +0200 +Subject: proc.c: Stack-based Buffer Overflow in net-tools (proc_gen_fmt) +Origin: https://github.com/ecki/net-tools/commit/84041080a5d4794045b098ced90e0309bcbcff44 + +Coordinated as GHSA-w7jq-cmw2-cq59. +--- + lib/proc.c | 37 ++++++++++++++++++++++++++++++++++--- + 1 file changed, 34 insertions(+), 3 deletions(-) + +--- a/lib/proc.c ++++ b/lib/proc.c +@@ -17,6 +17,8 @@ char *proc_gen_fmt(const char *name, int + char buf[512], format[512] = ""; + char *title, *head, *hdr; + va_list ap; ++ size_t format_len = 0; ++ size_t format_size = sizeof(format); + + if (!fgets(buf, (sizeof buf) - 1, fh)) + return NULL; +@@ -33,14 +35,43 @@ char *proc_gen_fmt(const char *name, int + *hdr++ = 0; + + if (!strcmp(title, head)) { +- strcat(format, va_arg(ap, char *)); ++ const char *arg = va_arg(ap, char *); ++ size_t arg_len = strlen(arg); ++ ++ /* Check if we have enough space for format specifier + space */ ++ if (format_len + arg_len + 1 >= format_size) { ++ fprintf(stderr, "warning: format buffer overflow in %s\n", name); ++ va_end(ap); ++ return NULL; ++ } ++ ++ strcpy(format + format_len, arg); ++ format_len += arg_len; ++ + title = va_arg(ap, char *); + if (!title || !head) + break; + } else { +- strcat(format, "%*s"); /* XXX */ ++ /* Check if we have enough space for "%*s" */ ++ if (format_len + 3 >= format_size) { ++ fprintf(stderr, "warning: format buffer overflow in %s\n", name); ++ va_end(ap); ++ return NULL; ++ } ++ ++ strcpy(format + format_len, "%*s"); ++ format_len += 3; + } +- strcat(format, " "); ++ ++ /* Check if we have space for the trailing space */ ++ if (format_len + 1 >= format_size) { ++ fprintf(stderr, "warning: format buffer overflow in %s\n", name); ++ va_end(ap); ++ return NULL; ++ } ++ ++ format[format_len++] = ' '; ++ format[format_len] = '\0'; + } + va_end(ap); + diff -Nru net-tools-2.10/debian/patches/series net-tools-2.10/debian/patches/series --- net-tools-2.10/debian/patches/series 2025-05-15 03:52:03.000000000 +0000 +++ net-tools-2.10/debian/patches/series 2025-05-26 19:27:23.000000000 +0000 @@ -4,3 +4,6 @@ Bug_900962-man-de-typos.patch Bug_549397-fix-decoding-of-MII-vendor-ids.patch CVE-2025-46836-interface.c-Stack-based-Buffer-Overfl.patch +ipmaddr.c-Stack-based-buffer-Overflow-in-parse_hex.patch +Interface-statistic-regression-after-7a8f42fb2.patch +proc.c-Stack-based-Buffer-Overflow-in-net-tools-proc.patch