- Fix multiple TFTP server vulnerabilities (CVE-2009-2957, CVE-2009-2958)

2009-10-05 10:26:35 +00:00 · 2009-10-05 10:26:35 +00:00 · 8b0560dcd4
parent 27df76d8d5
commit 8b0560dcd4
2 changed files with 75 additions and 1 deletions
--- a/dnsmasq-2.48-tftp-server-vulnerabilities.patch
+++ b/dnsmasq-2.48-tftp-server-vulnerabilities.patch
@ -0,0 +1,69 @@
+diff -up dnsmasq-2.48/src/tftp.c.tftp-server-vulnerabilities dnsmasq-2.48/src/tftp.c
+--- dnsmasq-2.48/src/tftp.c.tftp-server-vulnerabilities	2009-10-05 11:15:10.104555320 +0100
+++ dnsmasq-2.48/src/tftp.c	2009-10-05 11:15:12.104564277 +0100
+@@ -192,20 +192,21 @@ void tftp_request(struct listener *liste
+       
+       while ((opt = next(&p, end)))
+ 	{
+-	  if (strcasecmp(opt, "blksize") == 0 &&
+-	      (opt = next(&p, end)) &&
+-	      !(daemon->options & OPT_TFTP_NOBLOCK))
+	  if (strcasecmp(opt, "blksize") == 0)
+ 	    {
+-	      transfer->blocksize = atoi(opt);
+-	      if (transfer->blocksize < 1)
+-		transfer->blocksize = 1;
+-	      if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)
+-		transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;
+-	      transfer->opt_blocksize = 1;
+-	      transfer->block = 0;
+	      if ((opt = next(&p, end)) &&
+		  !(daemon->options & OPT_TFTP_NOBLOCK))
+		{
+		  transfer->blocksize = atoi(opt);
+		  if (transfer->blocksize < 1)
+		    transfer->blocksize = 1;
+		  if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)
+		    transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;
+		  transfer->opt_blocksize = 1;
+		  transfer->block = 0;
+		}
+ 	    }
+-	  
+-	  if (strcasecmp(opt, "tsize") == 0 && next(&p, end) && !transfer->netascii)
+	  else if (strcasecmp(opt, "tsize") == 0 && next(&p, end) && !transfer->netascii)
+ 	    {
+ 	      transfer->opt_transize = 1;
+ 	      transfer->block = 0;
+@@ -217,17 +218,17 @@ void tftp_request(struct listener *liste
+ 	{
+ 	  if (daemon->tftp_prefix[0] == '/')
+ 	    daemon->namebuff[0] = 0;
+-	  strncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME);
+	  strncat(daemon->namebuff, daemon->tftp_prefix, (MAXDNAME-1) - strlen(daemon->namebuff));
+ 	  if (daemon->tftp_prefix[strlen(daemon->tftp_prefix)-1] != '/')
+-	    strncat(daemon->namebuff, "/", MAXDNAME);
+	    strncat(daemon->namebuff, "/", (MAXDNAME-1) - strlen(daemon->namebuff));
+ 
+ 	  if (daemon->options & OPT_TFTP_APREF)
+ 	    {
+ 	      size_t oldlen = strlen(daemon->namebuff);
+ 	      struct stat statbuf;
+ 	      
+-	      strncat(daemon->namebuff, inet_ntoa(peer.sin_addr), MAXDNAME);
+-	      strncat(daemon->namebuff, "/", MAXDNAME);
+	      strncat(daemon->namebuff, inet_ntoa(peer.sin_addr), (MAXDNAME-1) - strlen(daemon->namebuff));
+	      strncat(daemon->namebuff, "/", (MAXDNAME-1) - strlen(daemon->namebuff));
+ 	      
+ 	      /* remove unique-directory if it doesn't exist */
+ 	      if (stat(daemon->namebuff, &statbuf) == -1 || !S_ISDIR(statbuf.st_mode))
+@@ -245,8 +246,7 @@ void tftp_request(struct listener *liste
+ 	}
+       else if (filename[0] == '/')
+ 	daemon->namebuff[0] = 0;
+-      strncat(daemon->namebuff, filename, MAXDNAME);
+-      daemon->namebuff[MAXDNAME-1] = 0;
+      strncat(daemon->namebuff, filename, (MAXDNAME-1) - strlen(daemon->namebuff));
+ 
+       /* check permissions and open file */
+       if ((transfer->file = check_tftp_fileperm(&len)))
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@ -11,7 +11,7 @@

 Name:           dnsmasq
 Version:        2.48
-Release:        3%{?extraversion}%{?dist}
+Release:        4%{?extraversion}%{?dist}
 Summary:        A lightweight DHCP/caching DNS server

 Group:          System Environment/Daemons
@ -20,6 +20,7 @@ URL:            http://www.thekelleys.org.uk/dnsmasq/
 Source0:        http://www.thekelleys.org.uk/dnsmasq/%{?extrapath}%{name}-%{version}%{?extraversion}.tar.lzma
 Patch0:         %{name}-2.33-initscript.patch
 Patch1:         %{name}-configuration.patch
+Patch2:         %{name}-2.48-tftp-server-vulnerabilities.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

 BuildRequires:  dbus-devel
@ -46,6 +47,7 @@ machines.
 %setup -q -n %{name}-%{version}%{?extraversion}
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1

 %build
 make %{?_smp_mflags}
@ -109,6 +111,9 @@ fi


 %changelog
+* Mon Oct  5 2009 Mark McLoughlin <markmc@redhat.com> - 2.48-4
+- Fix multiple TFTP server vulnerabilities (CVE-2009-2957, CVE-2009-2958)
+
 * Wed Aug 12 2009 Ville Skyttä <ville.skytta@iki.fi> - 2.48-3
 - Use lzma compressed upstream tarball.