XPost: linux.debian.devel.release

This is a multi-part MIME message sent by reportbug.


Package: release.debian.org
Severity: normal
X-Debbugs-Cc: net-tools@packages.debian.org, Martina Ferrari <tina@debian.org>, Utkarsh Gupta <utkarsh@debian.org>, carnil@debian.org
Control: affects -1 + src:net-tools
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear release team,

Please unblock package net-tools

[ Reason ]
Fixing a stack-based bufferoverflow in get_name() from
lib/interface.c. Utilities (for instance ifconfig) does not proerly
validate data from /proc, get_name() copies the interface labels from /proc/net/dev into a fixed size stack buffer without further bound
checking.

[ Impact ]
Crash of tools from net-tools but might lead to arbitrary execution of
code (to remove the privilege escalation path one might disable
unpriv. usernamespaces as mitigation)

[ Tests ]
Basic local tests only.

[ Risks ]
Patch comes directly from upstream and acked by the reporter upstream.

[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing

[ Other info ]
Nothing else to mention.

Regards,
Salvatore

ZGlmZiAtTnJ1IG5ldC10b29scy0yLjEwL2RlYmlhbi9jaGFuZ2Vsb2cgbmV0LXRvb2xzLTIuMTAv ZGViaWFuL2NoYW5nZWxvZwotLS0gbmV0LXRvb2xzLTIuMTAvZGViaWFuL2NoYW5nZWxvZwkyMDI0 LTA0LTIyIDAxOjU1OjI5LjAwMDAwMDAwMCArMDIwMAorKysgbmV0LXRvb2xzLTIuMTAvZGViaWFu L2NoYW5nZWxvZwkyMDI1LTA1LTE1IDA1OjQzOjUwLjAwMDAwMDAwMCArMDIwMApAQCAtMSwzICsx LDExIEBACituZXQtdG9vbHMgKDIuMTAtMS4yKSB1bnN0YWJsZTsgdXJnZW5jeT1tZWRpdW0KKwor ICAqIE5vbi1tYWludGFpbmVyIHVwbG9hZC4KKyAgKiBDVkUtMjAyNS00NjgzNjogaW50ZXJmYWNl LmM6IFN0YWNrLWJhc2VkIEJ1ZmZlciBPdmVyZmxvdyBpbiBnZXRfbmFtZSgpCisgICAgKENsb3Nl czogIzExMDU4MDYpCisKKyAtLSBTYWx2YXRvcmUgQm9uYWNjb3JzbyA8Y2FybmlsQGRlYmlhbi5v cmc+ICBUaHUsIDE1IE1heSAyMDI1IDA1OjQzOjUwICswMjAwCisKIG5ldC10b29scyAoMi4xMC0x LjEpIHVuc3RhYmxlOyB1cmdlbmN5PW1lZGl1bQogCiAgICogTm9uLW1haW50YWluZXIgdXBsb2Fk LgpkaWZmIC1OcnUgbmV0LXRvb2xzLTIuMTAvZGViaWFuL3BhdGNoZXMvQ1ZFLTIwMjUtNDY4MzYt aW50ZXJmYWNlLmMtU3RhY2stYmFzZWQtQnVmZmVyLU92ZXJmbC5wYXRjaCBuZXQtdG9vbHMtMi4x MC9kZWJpYW4vcGF0Y2hlcy9DVkUtMjAyNS00NjgzNi1pbnRlcmZhY2UuYy1TdGFjay1iYXNlZC1C dWZmZXItT3ZlcmZsLnBhdGNoCi0tLSBuZXQtdG9vbHMtMi4xMC9kZWJpYW4vcGF0Y2hlcy9DVkUt MjAyNS00NjgzNi1pbnRlcmZhY2UuYy1TdGFjay1iYXNlZC1CdWZmZXItT3ZlcmZsLnBhdGNoCTE5 NzAtMDEtMDEgMDE6MDA6MDAuMDAwMDAwMDAwICswMTAwCisrKyBuZXQtdG9vbHMtMi4xMC9kZWJp YW4vcGF0Y2hlcy9DVkUtMjAyNS00NjgzNi1pbnRlcmZhY2UuYy1TdGFjay1iYXNlZC1CdWZmZXIt T3ZlcmZsLnBhdGNoCTIwMjUtMDUtMTUgMDU6NDM6NTAuMDAwMDAwMDAwICswMjAwCkBAIC0wLDAg KzEsOTIgQEAKK0Zyb206IFplcGhrZWtzIDx6ZXBoeXJvZmZpY2lhbGRpc2NvcmRAZ21haWwuY29t PgorRGF0ZTogVHVlLCAxMyBNYXkgMjAyNSAxMTowNDoxNyArMDIwMAorU3ViamVjdDogQ1ZFLTIw MjUtNDY4MzY6IGludGVyZmFjZS5jOiBTdGFjay1iYXNlZCBCdWZmZXIgT3ZlcmZsb3cgaW4KKyBn ZXRfbmFtZSgpCitPcmlnaW46IGh0dHBzOi8vZ2l0aHViLmNvbS9lY2tpL25ldC10b29scy9jb21t aXQvN2E4ZjQyZmIyMDAxM2ExNDkzZDhjYWUxYzQzNDM2Zjg1ZTY1NmYyZAorQnVnLURlYmlhbi1T ZWN1cml0eTogaHR0cHM6Ly9zZWN1cml0eS10cmFja2VyLmRlYmlhbi5vcmcvdHJhY2tlci9DVkUt MjAyNS00NjgzNgorQnVnLURlYmlhbjogaHR0cHM6Ly9idWdzLmRlYmlhbi5vcmcvMTEwNTgwNgor CitDb29yZGluYXRlZCBhcyBHSFNBLXBmd2YtaDZtMy02M3dmCistLS0KKyBsaWIvaW50ZXJmYWNl LmMgfCA2MyArKysrKysrKysrKysrKysrKysrKysrKysrKysrKystLS0tLS0tLS0tLS0tLS0tLS0t CisgMSBmaWxlIGNoYW5nZWQsIDM5IGluc2VydGlvbnMoKyksIDI0IGRlbGV0aW9ucygtKQorCitk aWZmIC0tZ2l0IGEvbGliL2ludGVyZmFjZS5jIGIvbGliL2ludGVyZmFjZS5jCitpbmRleCA3MWQ0 MTYzYWMzNmYuLmEwNTRmMTI2ZTJmMSAxMDA2NDQKKy0tLSBhL2xpYi9pbnRlcmZhY2UuYworKysr IGIvbGliL2ludGVyZmFjZS5jCitAQCAtMjExLDMyICsyMTEsNDcgQEAgb3V0OgorIH0KKyAKKyBz dGF0aWMgY29uc3QgY2hhciAqZ2V0X25hbWUoY2hhciAqbmFtZSwgY29uc3QgY2hhciAqcCkKKysv KiBTYWZlIHZlcnNpb24g4oCUIGd1YXJhbnRlZXMgYXQgbW9zdCBJRk5BTVNJWuKAkTEgYnl0ZXMg YXJlIGNvcGllZAorKyAgIGFuZCB0aGUgZGVzdGluYXRpb24gYnVmZmVyIGlzIGFsd2F5cyBOVUzi gJF0ZXJtaW5hdGVkLiAgICAgICAgICAgICAqLworIHsKKy0gICAgd2hpbGUgKGlzc3BhY2UoKnAp KQorLQlwKys7CistICAgIHdoaWxlICgqcCkgeworLQlpZiAoaXNzcGFjZSgqcCkpCistCSAgICBi cmVhazsKKy0JaWYgKCpwID09ICc6JykgewkvKiBjb3VsZCBiZSBhbiBhbGlhcyAqLworLQkJY29u c3QgY2hhciAqZG90ID0gcCsrOworLSAJCXdoaWxlICgqcCAmJiBpc2RpZ2l0KCpwKSkgcCsrOwor LQkJaWYgKCpwID09ICc6JykgeworLQkJCS8qIFllcyBpdCBpcywgYmFja3VwIGFuZCBjb3B5IGl0 LiAqLworLQkJCXAgPSBkb3Q7CistCQkJKm5hbWUrKyA9ICpwKys7CistCQkJd2hpbGUgKCpwICYm IGlzZGlnaXQoKnApKSB7CistCQkJCSpuYW1lKysgPSAqcCsrOworLQkJCX0KKy0JCX0gZWxzZSB7 CistCQkJLyogTm8sIGl0IGlzbid0ICovCistCQkJcCA9IGRvdDsKKy0JICAgIH0KKy0JICAgIHAr KzsKKy0JICAgIGJyZWFrOworLQl9CistCSpuYW1lKysgPSAqcCsrOworKyAgICBjaGFyICAgICAg ICpkc3QgPSBuYW1lOyAgICAgICAgICAgICAgICAgLyogY3VycmVudCB3cml0ZSBwdHIgICAgICAg ICAgKi8KKysgICAgY29uc3QgY2hhciAqZW5kID0gbmFtZSArIElGTkFNU0laIC0gMTsgIC8qIGxh c3QgYnl0ZSB3ZSBtYXkgd3JpdGUgICAgICovCisrCisrICAgIC8qIFNraXAgbGVhZGluZyB3aGl0 ZeKAkXNwYWNlLiAqLworKyAgICB3aGlsZSAoaXNzcGFjZSgodW5zaWduZWQgY2hhcikqcCkpCisr ICAgICAgICArK3A7CisrCisrICAgIC8qIENvcHkgdW50aWwgd2hpdGXigJFzcGFjZSwgZW5kIG9m IHN0cmluZywgb3IgYnVmZmVyIGZ1bGwuICovCisrICAgIHdoaWxlICgqcCAmJiAhaXNzcGFjZSgo dW5zaWduZWQgY2hhcikqcCkgJiYgZHN0IDwgZW5kKSB7CisrICAgICAgICBpZiAoKnAgPT0gJzon KSB7ICAgICAgICAgICAgICAgICAgICAvKiBwb3NzaWJsZSBhbGlhcyB2ZXRoMDoxMjM6ICAqLwor KyAgICAgICAgICAgIGNvbnN0IGNoYXIgKmRvdCA9IHA7ICAgICAgICAgICAgLyogcmVtZW1iZXIg dGhlIGNvbG9uICAgICAgICAgKi8KKysgICAgICAgICAgICArK3A7CisrICAgICAgICAgICAgd2hp bGUgKCpwICYmIGlzZGlnaXQoKHVuc2lnbmVkIGNoYXIpKnApKQorKyAgICAgICAgICAgICAgICAr K3A7CisrCisrICAgICAgICAgICAgaWYgKCpwID09ICc6JykgeyAgICAgICAgICAgICAgICAvKiBj b25maXJtZWQgYWxpYXMgICAgICAgICAgICAqLworKyAgICAgICAgICAgICAgICBwID0gZG90OyAg ICAgICAgICAgICAgICAgICAgLyogcmV3aW5kIGFuZCBjb3B5IGl0IGFsbCAgICAgKi8KKysKKysg ICAgICAgICAgICAgICAgLyogY29weSB0aGUgY29sb24gKi8KKysgICAgICAgICAgICAgICAgaWYg KGRzdCA8IGVuZCkKKysgICAgICAgICAgICAgICAgICAgICpkc3QrKyA9ICpwKys7CisrCisrICAg ICAgICAgICAgICAgIC8qIGNvcHkgdGhlIGRpZ2l0cyAqLworKyAgICAgICAgICAgICAgICB3aGls ZSAoKnAgJiYgaXNkaWdpdCgodW5zaWduZWQgY2hhcikqcCkgJiYgZHN0IDwgZW5kKQorKyAgICAg ICAgICAgICAgICAgICAgKmRzdCsrID0gKnArKzsKKysKKysgICAgICAgICAgICAgICAgaWYgKCpw ID09ICc6JykgICAgICAgICAgICAgIC8qIGNvbnN1bWUgdHJhaWxpbmcgY29sb24gICAgICovCisr ICAgICAgICAgICAgICAgICAgICArK3A7CisrICAgICAgICAgICAgfSBlbHNlIHsgICAgICAgICAg ICAgIC8qIGlmIHNvIHRyZWF0IGFzIG5vcm1hbCAqLworKyAgICAgICAgICAgICAgICBwID0gZG90 OworKyAgICAgICAgICAgIH0KKysgICAgICAgICAgICBicmVhazsgICAgICAgICAgICAgICAgICAg ICAgICAgIC8qIGludGVyZmFjZSBuYW1lIGVuZHMgaGVyZSAgICovCisrICAgICAgICB9CisrCisr ICAgICAgICAqZHN0KysgPSAqcCsrOyAgICAgICAgICAgICAgICAgICAgICAvKiBvcmRpbmFyeSBj aGFyYWN0ZXIgY29weSAgICAqLworICAgICB9CistICAgICpuYW1lKysgPSAnXDAnOworKworKyAg ICAqZHN0ID0gJ1wwJzsgICAgICAgICAgICAgICAgICAgICAgICAgICAgLyogYWx3YXlzIE5VTOKA kXRlcm1pbmF0ZSAgICAgICAqLworICAgICByZXR1cm4gcDsKKyB9CisgCistLSAKKzIuNDkuMAor CmRpZmYgLU5ydSBuZXQtdG9vbHMtMi4xMC9kZWJpYW4vcGF0Y2hlcy9zZXJpZXMgbmV0LXRvb2xz LTIuMTAvZGViaWFuL3BhdGNoZXMvc2VyaWVzCi0tLSBuZXQtdG9vbHMtMi4xMC9kZWJpYW4vcGF0 Y2hlcy9zZXJpZXMJMjAyMy0xMS0yMyAxNTozNzoxNy4wMDAwMDAwMDAgKzAxMDAKKysrIG5ldC10 b29scy0yLjEwL2RlYmlhbi9wYXRjaGVzL3NlcmllcwkyMDI1LTA1LTE1IDA1OjQzOjUwLjAwMDAw MDAwMCArMDIwMApAQCAtMywzICszLDQgQEAKIEFkZF9taXNzaW5nX2hlYWRlcnMucGF0Y2gKIEJ1 Z185MDA5NjItbWFuLWRlLXR5cG9zLnBhdGNoCiBCdWdfNTQ5Mzk3LWZpeC1kZWNvZGluZy1vZi1N SUktdmVuZG9yLWlkcy5wYXRjaAorQ1ZFLTIwMjUtNDY4MzYtaW50ZXJmYWNlLmMtU3RhY2stYmFz ZWQtQnVmZmVyLU92ZXJmbC5wYXRjaAo=

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)