summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJörg Frings-Fürst <debian@jff-webhosting.net>2021-08-23 07:38:27 +0200
committerJörg Frings-Fürst <debian@jff-webhosting.net>2021-08-23 07:38:27 +0200
commit8fcf0ba6f182918bd584bb80bf0b8998acad26a8 (patch)
tree7212ff817ceb8d20aa2e948c10436dc5c5cad12a
parent0930b8166ec00a49395f30ff71fe87b1b3ad4462 (diff)
parent4c21e0e4d421d20d7bf5550f8bff0230645960e2 (diff)
Merge branch 'release/debian/1.8.18-11'debian/1.8.18-11
-rw-r--r--debian/changelog29
-rw-r--r--debian/control2
-rw-r--r--debian/copyright2
-rw-r--r--debian/ipmitool.lintian-overrides4
-rw-r--r--debian/ipmitool.maintscript2
-rw-r--r--debian/patches/0505-fix_CVE-2020-5208.patch299
-rw-r--r--debian/patches/CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch120
-rw-r--r--debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch48
-rw-r--r--debian/patches/CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch48
-rw-r--r--debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch37
-rw-r--r--debian/patches/CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch85
-rw-r--r--debian/patches/CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch134
-rw-r--r--debian/patches/series7
-rw-r--r--debian/systemd/ipmitool.ipmievd.service1
-rw-r--r--debian/tests/control4
15 files changed, 811 insertions, 11 deletions
diff --git a/debian/changelog b/debian/changelog
index be5b777..c08965e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,32 @@
+ipmitool (1.8.18-11) unstable; urgency=medium
+
+ * Remove useless debian/ipmitool.lintian-overrides.
+ * Declare compliance with Debian Policy 4.6.0.0 (No changes needed).
+ * Remove useless DEP 8 Smoketest.
+ * debian/copyright:
+ - Add year 2021 to debian/*.
+ * debian/ipmitool.maintscript (Closes: #947384):
+ - Change prior-version to 1.8.18-11~.
+ * debian/systemd/ipmitool.ipmievd.service:
+ - Add After=openipmi.service (Closes: #950206).
+
+ -- Jörg Frings-Fürst <debian@jff.email> Sun, 22 Aug 2021 21:15:52 +0200
+
+ipmitool (1.8.18-10.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * CVE-2020-5208: buffer overflows and potentially to remote code execution.
+ Applied upstream patches:
+ - CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch
+ - CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
+ - CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch
+ - CVE-2020-5208_4-channel-Fix-buffer-overflow.patch
+ - CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
+ - CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch
+ (Closes: #950761).
+
+ -- Thomas Goirand <zigo@debian.org> Fri, 19 Feb 2021 11:04:17 +0100
+
ipmitool (1.8.18-10) unstable; urgency=medium
* Add "Restrictions: superficial" to debian/tests/control (Closes: #969834).
diff --git a/debian/control b/debian/control
index 76b151b..06e676a 100644
--- a/debian/control
+++ b/debian/control
@@ -9,7 +9,7 @@ Build-Depends:
libfreeipmi-dev [!hurd-i386],
libreadline-dev,
libssl-dev
-Standards-Version: 4.5.0
+Standards-Version: 4.6.0.0
Rules-Requires-Root: no
Vcs-Git: git://jff.email/opt/git/ipmitool.git
Vcs-Browser: https://jff.email/cgit/ipmitool.git
diff --git a/debian/copyright b/debian/copyright
index 9f7f630..5e6d315 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -34,7 +34,7 @@ Copyright: 2003-2005 Duncan Laurie <duncan@sun.com>
2011-2013 Luk Claes <luk@debian.org>
2012 Leo Iannacone <l3on@ubuntu.com>
2013 Robie Basak <robie.basak@canonical.com>
- 2014-2019 Jörg Frings-Fürst <debian@jff.email>
+ 2014-2021 Jörg Frings-Fürst <debian@jff.email>
License: BSD-3-clause
License: BSD-3-clause
diff --git a/debian/ipmitool.lintian-overrides b/debian/ipmitool.lintian-overrides
deleted file mode 100644
index 00696e1..0000000
--- a/debian/ipmitool.lintian-overrides
+++ /dev/null
@@ -1,4 +0,0 @@
-#
-# see bug #932378
-#
-ipmitool: missing-versioned-depends-on-init-system-helpers postinst:23 "update-rc.d defaults-disabled" needs init-system-helpers >= 1.50
diff --git a/debian/ipmitool.maintscript b/debian/ipmitool.maintscript
index 2a663cf..7761b8a 100644
--- a/debian/ipmitool.maintscript
+++ b/debian/ipmitool.maintscript
@@ -1 +1 @@
-rm_conffile /etc/default/ipmitool 1.8.18-6~ ipmitool
+rm_conffile /etc/default/ipmitool 1.8.18-11~ ipmitool
diff --git a/debian/patches/0505-fix_CVE-2020-5208.patch b/debian/patches/0505-fix_CVE-2020-5208.patch
new file mode 100644
index 0000000..1295180
--- /dev/null
+++ b/debian/patches/0505-fix_CVE-2020-5208.patch
@@ -0,0 +1,299 @@
+Description: Fix CVE-2020-5208
+Origin: backport from
+ https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2
+ https://github.com/ipmitool/ipmitool/commit/840fb1cbb4fb365cb9797300e3374d4faefcdb10
+ https://github.com/ipmitool/ipmitool/commit/41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22
+ https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4
+ https://github.com/ipmitool/ipmitool/commit/d45572d71e70840e0d4c50bf48218492b79c1a10
+ https://github.com/ipmitool/ipmitool/commit/7ccea283dd62a05a320c1921e3d8d71a87772637
+Bug: https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950761
+Forwarded: not-needed
+Last-Update: 2021-01-03
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: trunk/lib/ipmi_fru.c
+===================================================================
+--- trunk.orig/lib/ipmi_fru.c
++++ trunk/lib/ipmi_fru.c
+@@ -615,7 +615,10 @@ int
+ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ uint32_t offset, uint32_t length, uint8_t *frubuf)
+ {
+- uint32_t off = offset, tmp, finish;
++ uint32_t off = offset;
++ uint32_t tmp;
++ uint32_t finish;
++ uint32_t size_left_in_buffer;
+ struct ipmi_rs * rsp;
+ struct ipmi_rq req;
+ uint8_t msg_data[4];
+@@ -628,10 +631,12 @@ read_fru_area(struct ipmi_intf * intf, s
+
+ finish = offset + length;
+ if (finish > fru->size) {
++ memset(frubuf + fru->size, 0, length - fru->size);
+ finish = fru->size;
+ lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
+ "Adjusting to %d",
+ offset + length, finish - offset);
++ length = finish - offset;
+ }
+
+ memset(&req, 0, sizeof(req));
+@@ -667,6 +672,7 @@ read_fru_area(struct ipmi_intf * intf, s
+ }
+ }
+
++ size_left_in_buffer = length;
+ do {
+ tmp = fru->access ? off >> 1 : off;
+ msg_data[0] = id;
+@@ -707,9 +713,18 @@ read_fru_area(struct ipmi_intf * intf, s
+ }
+
+ tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
++ if(rsp->data_len < 1
++ || tmp > rsp->data_len - 1
++ || tmp > size_left_in_buffer)
++ {
++ printf(" Not enough buffer size");
++ return -1;
++ }
++
+ memcpy(frubuf, rsp->data + 1, tmp);
+ off += tmp;
+ frubuf += tmp;
++ size_left_in_buffer -= tmp;
+ /* sometimes the size returned in the Info command
+ * is too large. return 0 so higher level function
+ * still attempts to parse what was returned */
+@@ -742,7 +757,9 @@ read_fru_area_section(struct ipmi_intf *
+ uint32_t offset, uint32_t length, uint8_t *frubuf)
+ {
+ static uint32_t fru_data_rqst_size = 20;
+- uint32_t off = offset, tmp, finish;
++ uint32_t off = offset;
++ uint32_t tmp, finish;
++ uint32_t size_left_in_buffer;
+ struct ipmi_rs * rsp;
+ struct ipmi_rq req;
+ uint8_t msg_data[4];
+@@ -755,10 +772,12 @@ read_fru_area_section(struct ipmi_intf *
+
+ finish = offset + length;
+ if (finish > fru->size) {
++ memset(frubuf + fru->size, 0, length - fru->size);
+ finish = fru->size;
+ lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
+ "Adjusting to %d",
+ offset + length, finish - offset);
++ length = finish - offset;
+ }
+
+ memset(&req, 0, sizeof(req));
+@@ -773,6 +792,8 @@ read_fru_area_section(struct ipmi_intf *
+ if (fru->access && fru_data_rqst_size > 16)
+ #endif
+ fru_data_rqst_size = 16;
++
++ size_left_in_buffer = length;
+ do {
+ tmp = fru->access ? off >> 1 : off;
+ msg_data[0] = id;
+@@ -804,8 +825,16 @@ read_fru_area_section(struct ipmi_intf *
+ }
+
+ tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
++ if(rsp->data_len < 1
++ || tmp > rsp->data_len - 1
++ || tmp > size_left_in_buffer)
++ {
++ printf(" Not enough buffer size");
++ return -1;
++ }
+ memcpy((frubuf + off)-offset, rsp->data + 1, tmp);
+ off += tmp;
++ size_left_in_buffer -= tmp;
+
+ /* sometimes the size returned in the Info command
+ * is too large. return 0 so higher level function
+@@ -3033,7 +3062,7 @@ ipmi_fru_print(struct ipmi_intf * intf,
+ return 0;
+
+ memset(desc, 0, sizeof(desc));
+- memcpy(desc, fru->id_string, fru->id_code & 0x01f);
++ memcpy(desc, fru->id_string, __min(fru->id_code & 0x01f, sizeof(desc)));
+ desc[fru->id_code & 0x01f] = 0;
+ printf("FRU Device Description : %s (ID %d)\n", desc, fru->device_id);
+
+Index: trunk/lib/ipmi_sdr.c
+===================================================================
+--- trunk.orig/lib/ipmi_sdr.c
++++ trunk/lib/ipmi_sdr.c
+@@ -2084,7 +2084,7 @@ ipmi_sdr_print_sensor_eventonly(struct i
+ return -1;
+
+ memset(desc, 0, sizeof (desc));
+- snprintf(desc, (sensor->id_code & 0x1f) + 1, "%s", sensor->id_string);
++ snprintf(desc, sizeof(desc), "%.*s", (sensor->id_code & 0x1f) + 1, sensor->id_string);
+
+ if (verbose) {
+ printf("Sensor ID : %s (0x%x)\n",
+@@ -2135,7 +2135,7 @@ ipmi_sdr_print_sensor_mc_locator(struct
+ return -1;
+
+ memset(desc, 0, sizeof (desc));
+- snprintf(desc, (mc->id_code & 0x1f) + 1, "%s", mc->id_string);
++ snprintf(desc, sizeof(desc), "%.*s", (mc->id_code & 0x1f) + 1, mc->id_string);
+
+ if (verbose == 0) {
+ if (csv_output)
+@@ -2228,7 +2228,7 @@ ipmi_sdr_print_sensor_generic_locator(st
+ char desc[17];
+
+ memset(desc, 0, sizeof (desc));
+- snprintf(desc, (dev->id_code & 0x1f) + 1, "%s", dev->id_string);
++ snprintf(desc, sizeof(desc), "%.*s", (dev->id_code & 0x1f) + 1, dev->id_string);
+
+ if (!verbose) {
+ if (csv_output)
+@@ -2285,7 +2285,7 @@ ipmi_sdr_print_sensor_fru_locator(struct
+ char desc[17];
+
+ memset(desc, 0, sizeof (desc));
+- snprintf(desc, (fru->id_code & 0x1f) + 1, "%s", fru->id_string);
++ snprintf(desc, sizeof(desc), "%.*s", (fru->id_code & 0x1f) + 1, fru->id_string);
+
+ if (!verbose) {
+ if (csv_output)
+@@ -2489,35 +2489,43 @@ ipmi_sdr_print_name_from_rawentry(struct
+
+ int rc =0;
+ char desc[17];
++ const char *id_string;
++ uint8_t id_code;
+ memset(desc, ' ', sizeof (desc));
+
+ switch ( type) {
+ case SDR_RECORD_TYPE_FULL_SENSOR:
+ record.full = (struct sdr_record_full_sensor *) raw;
+- snprintf(desc, (record.full->id_code & 0x1f) +1, "%s",
+- (const char *)record.full->id_string);
++ id_code = record.full->id_code;
++ id_string = record.full->id_string;
+ break;
++
+ case SDR_RECORD_TYPE_COMPACT_SENSOR:
+ record.compact = (struct sdr_record_compact_sensor *) raw ;
+- snprintf(desc, (record.compact->id_code & 0x1f) +1, "%s",
+- (const char *)record.compact->id_string);
++ id_code = record.compact->id_code;
++ id_string = record.compact->id_string;
+ break;
++
+ case SDR_RECORD_TYPE_EVENTONLY_SENSOR:
+ record.eventonly = (struct sdr_record_eventonly_sensor *) raw ;
+- snprintf(desc, (record.eventonly->id_code & 0x1f) +1, "%s",
+- (const char *)record.eventonly->id_string);
+- break;
++ id_code = record.eventonly->id_code;
++ id_string = record.eventonly->id_string;
++ break;
++
+ case SDR_RECORD_TYPE_MC_DEVICE_LOCATOR:
+ record.mcloc = (struct sdr_record_mc_locator *) raw ;
+- snprintf(desc, (record.mcloc->id_code & 0x1f) +1, "%s",
+- (const char *)record.mcloc->id_string);
++ id_code = record.mcloc->id_code;
++ id_string = record.mcloc->id_string;
+ break;
++
+ default:
+ rc = -1;
+- break;
+- }
++ }
++ if (!rc) {
++ snprintf(desc, sizeof(desc), "%.*s", (id_code & 0x1f) + 1, id_string);
++ }
+
+- lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc);
++ lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc);
+ return rc;
+ }
+
+Index: trunk/lib/ipmi_channel.c
+===================================================================
+--- trunk.orig/lib/ipmi_channel.c
++++ trunk/lib/ipmi_channel.c
+@@ -378,7 +378,10 @@ ipmi_get_channel_cipher_suites(struct ip
+ lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
+ return -1;
+ }
+- if (rsp->ccode > 0) {
++ if (rsp->ccode
++ || rsp->data_len < 1
++ || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN)
++ {
+ lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
+ val2str(rsp->ccode, completion_code_vals));
+ return -1;
+Index: trunk/lib/ipmi_session.c
+===================================================================
+--- trunk.orig/lib/ipmi_session.c
++++ trunk/lib/ipmi_session.c
+@@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf
+ }
+ else
+ {
+- memcpy(&session_info, rsp->data, rsp->data_len);
+- print_session_info(&session_info, rsp->data_len);
++ memcpy(&session_info, rsp->data,
++ __min(rsp->data_len, sizeof(session_info)));
++ print_session_info(&session_info,
++ __min(rsp->data_len, sizeof(session_info)));
+ }
+ break;
+
+@@ -341,9 +343,10 @@ ipmi_get_session_info(struct ipmi_intf
+ break;
+ }
+
+- memcpy(&session_info, rsp->data, rsp->data_len);
+- print_session_info(&session_info, rsp->data_len);
+-
++ memcpy(&session_info, rsp->data,
++ __min(rsp->data_len, sizeof(session_info)));
++ print_session_info(&session_info,
++ __min(rsp->data_len, sizeof(session_info)));
+ } while (i <= session_info.session_slot_count);
+ break;
+ }
+Index: trunk/lib/dimm_spd.c
+===================================================================
+--- trunk.orig/lib/dimm_spd.c
++++ trunk/lib/dimm_spd.c
+@@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * in
+ struct ipmi_rq req;
+ struct fru_info fru;
+ uint8_t *spd_data, msg_data[4];
+- int len, offset;
++ uint32_t len, offset;
+
+ msg_data[0] = id;
+
+@@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * in
+ }
+
+ len = rsp->data[0];
++ if(rsp->data_len < 1
++ || len > rsp->data_len - 1
++ || len > fru.size - offset)
++ {
++ printf(" Not enough buffer size");
++ return -1;
++ }
+ memcpy(&spd_data[offset], rsp->data + 1, len);
+ offset += len;
+ } while (offset < fru.size);
diff --git a/debian/patches/CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch b/debian/patches/CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch
new file mode 100644
index 0000000..1c3029d
--- /dev/null
+++ b/debian/patches/CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch
@@ -0,0 +1,120 @@
+Description: fru: Fix buffer overflow vulnerabilities
+ Partial fix for CVE-2020-5208, see
+ https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+ .
+ The `read_fru_area_section` function only performs size validation of
+ requested read size, and falsely assumes that the IPMI message will not
+ respond with more than the requested amount of data; it uses the
+ unvalidated response size to copy into `frubuf`. If the response is
+ larger than the request, this can result in overflowing the buffer.
+ .
+ The same issue affects the `read_fru_area` function.
+Author: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 16:33:59 +0000
+
+Index: ipmitool-1.8.18/lib/ipmi_fru.c
+===================================================================
+--- ipmitool-1.8.18.orig/lib/ipmi_fru.c
++++ ipmitool-1.8.18/lib/ipmi_fru.c
+@@ -615,7 +615,10 @@ int
+ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ uint32_t offset, uint32_t length, uint8_t *frubuf)
+ {
+- uint32_t off = offset, tmp, finish;
++ uint32_t off = offset;
++ uint32_t tmp;
++ uint32_t finish;
++ uint32_t size_left_in_buffer;
+ struct ipmi_rs * rsp;
+ struct ipmi_rq req;
+ uint8_t msg_data[4];
+@@ -628,10 +631,12 @@ read_fru_area(struct ipmi_intf * intf, s
+
+ finish = offset + length;
+ if (finish > fru->size) {
++ memset(frubuf + fru->size, 0, length - fru->size);
+ finish = fru->size;
+ lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
+ "Adjusting to %d",
+ offset + length, finish - offset);
++ length = finish - offset;
+ }
+
+ memset(&req, 0, sizeof(req));
+@@ -667,6 +672,7 @@ read_fru_area(struct ipmi_intf * intf, s
+ }
+ }
+
++ size_left_in_buffer = length;
+ do {
+ tmp = fru->access ? off >> 1 : off;
+ msg_data[0] = id;
+@@ -707,9 +713,18 @@ read_fru_area(struct ipmi_intf * intf, s
+ }
+
+ tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
++ if(rsp->data_len < 1
++ || tmp > rsp->data_len - 1
++ || tmp > size_left_in_buffer)
++ {
++ printf(" Not enough buffer size");
++ return -1;
++ }
++
+ memcpy(frubuf, rsp->data + 1, tmp);
+ off += tmp;
+ frubuf += tmp;
++ size_left_in_buffer -= tmp;
+ /* sometimes the size returned in the Info command
+ * is too large. return 0 so higher level function
+ * still attempts to parse what was returned */
+@@ -742,7 +757,9 @@ read_fru_area_section(struct ipmi_intf *
+ uint32_t offset, uint32_t length, uint8_t *frubuf)
+ {
+ static uint32_t fru_data_rqst_size = 20;
+- uint32_t off = offset, tmp, finish;
++ uint32_t off = offset;
++ uint32_t tmp, finish;
++ uint32_t size_left_in_buffer;
+ struct ipmi_rs * rsp;
+ struct ipmi_rq req;
+ uint8_t msg_data[4];
+@@ -755,10 +772,12 @@ read_fru_area_section(struct ipmi_intf *
+
+ finish = offset + length;
+ if (finish > fru->size) {
++ memset(frubuf + fru->size, 0, length - fru->size);
+ finish = fru->size;
+ lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
+ "Adjusting to %d",
+ offset + length, finish - offset);
++ length = finish - offset;
+ }
+
+ memset(&req, 0, sizeof(req));
+@@ -773,6 +792,8 @@ read_fru_area_section(struct ipmi_intf *
+ if (fru->access && fru_data_rqst_size > 16)
+ #endif
+ fru_data_rqst_size = 16;
++
++ size_left_in_buffer = length;
+ do {
+ tmp = fru->access ? off >> 1 : off;
+ msg_data[0] = id;
+@@ -804,8 +825,16 @@ read_fru_area_section(struct ipmi_intf *
+ }
+
+ tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
++ if(rsp->data_len < 1
++ || tmp > rsp->data_len - 1
++ || tmp > size_left_in_buffer)
++ {
++ printf(" Not enough buffer size");
++ return -1;
++ }
+ memcpy((frubuf + off)-offset, rsp->data + 1, tmp);
+ off += tmp;
++ size_left_in_buffer -= tmp;
+
+ /* sometimes the size returned in the Info command
+ * is too large. return 0 so higher level function
diff --git a/debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch b/debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
new file mode 100644
index 0000000..efa2381
--- /dev/null
+++ b/debian/patches/CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
@@ -0,0 +1,48 @@
+From 840fb1cbb4fb365cb9797300e3374d4faefcdb10 Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 16:44:18 +0000
+Subject: [PATCH 2/6] fru: Fix buffer overflow in ipmi_spd_print_fru
+
+Partial fix for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+The `ipmi_spd_print_fru` function has a similar issue as the one fixed
+by the previous commit in `read_fru_area_section`. An initial request is
+made to get the `fru.size`, which is used as the size for the allocation
+of `spd_data`. Inside a loop, further requests are performed to get the
+copy sizes which are not checked before being used as the size for a
+copy into the buffer.
+---
+ lib/dimm_spd.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c
+index 163a2c2..d559cb4 100644
+--- a/lib/dimm_spd.c
++++ b/lib/dimm_spd.c
+@@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
+ struct ipmi_rq req;
+ struct fru_info fru;
+ uint8_t *spd_data, msg_data[4];
+- int len, offset;
++ uint32_t len, offset;
+
+ msg_data[0] = id;
+
+@@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
+ }
+
+ len = rsp->data[0];
++ if(rsp->data_len < 1
++ || len > rsp->data_len - 1
++ || len > fru.size - offset)
++ {
++ printf(" Not enough buffer size");
++ return -1;
++ }
+ memcpy(&spd_data[offset], rsp->data + 1, len);
+ offset += len;
+ } while (offset < fru.size);
+--
+2.20.1
+
diff --git a/debian/patches/CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch b/debian/patches/CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch
new file mode 100644
index 0000000..df07c96
--- /dev/null
+++ b/debian/patches/CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch
@@ -0,0 +1,48 @@
+From 41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22 Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 16:51:49 +0000
+Subject: [PATCH 3/6] session: Fix buffer overflow in ipmi_get_session_info
+
+Partial fix for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+The `ipmi_get_session_info` function does not properly check the
+response `data_len`, which is used as a copy size, allowing stack buffer
+overflow.
+---
+ lib/ipmi_session.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/lib/ipmi_session.c b/lib/ipmi_session.c
+index ecf4afc..b282d6d 100644
+--- a/lib/ipmi_session.c
++++ b/lib/ipmi_session.c
+@@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf * intf,
+ }
+ else
+ {
+- memcpy(&session_info, rsp->data, rsp->data_len);
+- print_session_info(&session_info, rsp->data_len);
++ memcpy(&session_info, rsp->data,
++ __min(rsp->data_len, sizeof(session_info)));
++ print_session_info(&session_info,
++ __min(rsp->data_len, sizeof(session_info)));
+ }
+ break;
+
+@@ -341,8 +343,10 @@ ipmi_get_session_info(struct ipmi_intf * intf,
+ break;
+ }
+
+- memcpy(&session_info, rsp->data, rsp->data_len);
+- print_session_info(&session_info, rsp->data_len);
++ memcpy(&session_info, rsp->data,
++ __min(rsp->data_len, sizeof(session_info)));
++ print_session_info(&session_info,
++ __min(rsp->data_len, sizeof(session_info)));
+
+ } while (i <= session_info.session_slot_count);
+ break;
+--
+2.20.1
+
diff --git a/debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch b/debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch
new file mode 100644
index 0000000..cae9ddd
--- /dev/null
+++ b/debian/patches/CVE-2020-5208_4-channel-Fix-buffer-overflow.patch
@@ -0,0 +1,37 @@
+Subject: [PATCH 4/6] channel: Fix buffer overflow
+ Partial fix for CVE-2020-5208, see
+ https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+ .
+ The `ipmi_get_channel_cipher_suites` function does not properly check
+ the final response’s `data_len`, which can lead to stack buffer overflow
+ on the final copy.
+ From 9452be87181a6e83cfcc768b3ed8321763db50e4 Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 16:56:38 +0000
+Last-Update: 2021-02-08
+
+--- ipmitool-1.8.18.orig/lib/ipmi_channel.c
++++ ipmitool-1.8.18/lib/ipmi_channel.c
+@@ -413,7 +413,10 @@ ipmi_get_channel_cipher_suites(struct ip
+ lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
+ return -1;
+ }
+- if (rsp->ccode > 0) {
++ if (rsp->ccode
++ || rsp->data_len < 1
++ || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN)
++ {
+ lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
+ val2str(rsp->ccode, completion_code_vals));
+ return -1;
+--- a/include/ipmitool/ipmi_channel.h 2016-05-29 21:46:53.000000000 +0200
++++ b/include/ipmitool/ipmi_channel.h 2021-02-08 23:45:10.598535426 +0100
+@@ -77,6 +77,8 @@
+ uint8_t user_level_auth;
+ };
+
++#define MAX_CIPHER_SUITE_DATA_LEN 0x10
++
+ /*
+ * The Get Authentication Capabilities response structure
+ * From table 22-15 of the IPMI v2.0 spec
diff --git a/debian/patches/CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch b/debian/patches/CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
new file mode 100644
index 0000000..9c10aeb
--- /dev/null
+++ b/debian/patches/CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
@@ -0,0 +1,85 @@
+From d45572d71e70840e0d4c50bf48218492b79c1a10 Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 17:06:39 +0000
+Subject: [PATCH 5/6] lanp: Fix buffer overflows in get_lan_param_select
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Partial fix for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+The `get_lan_param_select` function is missing a validation check on the
+response’s `data_len`, which it then returns to caller functions, where
+stack buffer overflow can occur.
+---
+ lib/ipmi_lanp.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+Index: ipmitool-1.8.18/lib/ipmi_lanp.c
+===================================================================
+--- ipmitool-1.8.18.orig/lib/ipmi_lanp.c
++++ ipmitool-1.8.18/lib/ipmi_lanp.c
+@@ -1809,7 +1809,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in
+ if (p == NULL) {
+ return (-1);
+ }
+- memcpy(data, p->data, p->data_len);
++ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ /* set new ipaddr */
+ memcpy(data+3, temp, 4);
+ printf("Setting LAN Alert %d IP Address to %d.%d.%d.%d\n", alert,
+@@ -1824,7 +1824,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in
+ if (p == NULL) {
+ return (-1);
+ }
+- memcpy(data, p->data, p->data_len);
++ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ /* set new macaddr */
+ memcpy(data+7, temp, 6);
+ printf("Setting LAN Alert %d MAC Address to "
+@@ -1838,7 +1838,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in
+ if (p == NULL) {
+ return (-1);
+ }
+- memcpy(data, p->data, p->data_len);
++ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+
+ if (strncasecmp(argv[1], "def", 3) == 0 ||
+ strncasecmp(argv[1], "default", 7) == 0) {
+@@ -1864,7 +1864,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in
+ if (p == NULL) {
+ return (-1);
+ }
+- memcpy(data, p->data, p->data_len);
++ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+
+ if (strncasecmp(argv[1], "on", 2) == 0 ||
+ strncasecmp(argv[1], "yes", 3) == 0) {
+@@ -1889,7 +1889,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in
+ if (p == NULL) {
+ return (-1);
+ }
+- memcpy(data, p->data, p->data_len);
++ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+
+ if (strncasecmp(argv[1], "pet", 3) == 0) {
+ printf("Setting LAN Alert %d destination to PET Trap\n", alert);
+@@ -1917,7 +1917,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in
+ if (p == NULL) {
+ return (-1);
+ }
+- memcpy(data, p->data, p->data_len);
++ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+
+ if (str2uchar(argv[1], &data[2]) != 0) {
+ lprintf(LOG_ERR, "Invalid time: %s", argv[1]);
+@@ -1933,7 +1933,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in
+ if (p == NULL) {
+ return (-1);
+ }
+- memcpy(data, p->data, p->data_len);
++ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+
+ if (str2uchar(argv[1], &data[3]) != 0) {
+ lprintf(LOG_ERR, "Invalid retry: %s", argv[1]);
diff --git a/debian/patches/CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch b/debian/patches/CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch
new file mode 100644
index 0000000..03451ed
--- /dev/null
+++ b/debian/patches/CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch
@@ -0,0 +1,134 @@
+From 7ccea283dd62a05a320c1921e3d8d71a87772637 Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 17:13:45 +0000
+Subject: [PATCH 6/6] fru, sdr: Fix id_string buffer overflows
+
+Final part of the fixes for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+9 variants of stack buffer overflow when parsing `id_string` field of
+SDR records returned from `CMD_GET_SDR` command.
+
+SDR record structs have an `id_code` field, and an `id_string` `char`
+array.
+
+The length of `id_string` is calculated as `(id_code & 0x1f) + 1`,
+which can be larger than expected 16 characters (if `id_code = 0xff`,
+then length will be `(0xff & 0x1f) + 1 = 32`).
+
+In numerous places, this can cause stack buffer overflow when copying
+into fixed buffer of size `17` bytes from this calculated length.
+---
+ lib/ipmi_fru.c | 2 +-
+ lib/ipmi_sdr.c | 40 ++++++++++++++++++++++++----------------
+ 2 files changed, 25 insertions(+), 17 deletions(-)
+
+Index: ipmitool-1.8.18/lib/ipmi_fru.c
+===================================================================
+--- ipmitool-1.8.18.orig/lib/ipmi_fru.c
++++ ipmitool-1.8.18/lib/ipmi_fru.c
+@@ -3062,7 +3062,7 @@ ipmi_fru_print(struct ipmi_intf * intf,
+ return 0;
+
+ memset(desc, 0, sizeof(desc));
+- memcpy(desc, fru->id_string, fru->id_code & 0x01f);
++ memcpy(desc, fru->id_string, __min(fru->id_code & 0x01f, sizeof(desc)));
+ desc[fru->id_code & 0x01f] = 0;
+ printf("FRU Device Description : %s (ID %d)\n", desc, fru->device_id);
+
+Index: ipmitool-1.8.18/lib/ipmi_sdr.c
+===================================================================
+--- ipmitool-1.8.18.orig/lib/ipmi_sdr.c
++++ ipmitool-1.8.18/lib/ipmi_sdr.c
+@@ -2084,7 +2084,7 @@ ipmi_sdr_print_sensor_eventonly(struct i
+ return -1;
+
+ memset(desc, 0, sizeof (desc));
+- snprintf(desc, (sensor->id_code & 0x1f) + 1, "%s", sensor->id_string);
++ snprintf(desc, sizeof(desc), "%.*s", (sensor->id_code & 0x1f) + 1, sensor->id_string);
+
+ if (verbose) {
+ printf("Sensor ID : %s (0x%x)\n",
+@@ -2135,7 +2135,7 @@ ipmi_sdr_print_sensor_mc_locator(struct
+ return -1;
+
+ memset(desc, 0, sizeof (desc));
+- snprintf(desc, (mc->id_code & 0x1f) + 1, "%s", mc->id_string);
++ snprintf(desc, sizeof(desc), "%.*s", (mc->id_code & 0x1f) + 1, mc->id_string);
+
+ if (verbose == 0) {
+ if (csv_output)
+@@ -2228,7 +2228,7 @@ ipmi_sdr_print_sensor_generic_locator(st
+ char desc[17];
+
+ memset(desc, 0, sizeof (desc));
+- snprintf(desc, (dev->id_code & 0x1f) + 1, "%s", dev->id_string);
++ snprintf(desc, sizeof(desc), "%.*s", (dev->id_code & 0x1f) + 1, dev->id_string);
+
+ if (!verbose) {
+ if (csv_output)
+@@ -2285,7 +2285,7 @@ ipmi_sdr_print_sensor_fru_locator(struct
+ char desc[17];
+
+ memset(desc, 0, sizeof (desc));
+- snprintf(desc, (fru->id_code & 0x1f) + 1, "%s", fru->id_string);
++ snprintf(desc, sizeof(desc), "%.*s", (fru->id_code & 0x1f) + 1, fru->id_string);
+
+ if (!verbose) {
+ if (csv_output)
+@@ -2489,35 +2489,43 @@ ipmi_sdr_print_name_from_rawentry(struct
+
+ int rc =0;
+ char desc[17];
++ const char *id_string;
++ uint8_t id_code;
+ memset(desc, ' ', sizeof (desc));
+
+ switch ( type) {
+ case SDR_RECORD_TYPE_FULL_SENSOR:
+ record.full = (struct sdr_record_full_sensor *) raw;
+- snprintf(desc, (record.full->id_code & 0x1f) +1, "%s",
+- (const char *)record.full->id_string);
++ id_code = record.full->id_code;
++ id_string = record.full->id_string;
+ break;
++
+ case SDR_RECORD_TYPE_COMPACT_SENSOR:
+ record.compact = (struct sdr_record_compact_sensor *) raw ;
+- snprintf(desc, (record.compact->id_code & 0x1f) +1, "%s",
+- (const char *)record.compact->id_string);
++ id_code = record.compact->id_code;
++ id_string = record.compact->id_string;
+ break;
++
+ case SDR_RECORD_TYPE_EVENTONLY_SENSOR:
+ record.eventonly = (struct sdr_record_eventonly_sensor *) raw ;
+- snprintf(desc, (record.eventonly->id_code & 0x1f) +1, "%s",
+- (const char *)record.eventonly->id_string);
+- break;
++ id_code = record.eventonly->id_code;
++ id_string = record.eventonly->id_string;
++ break;
++
+ case SDR_RECORD_TYPE_MC_DEVICE_LOCATOR:
+ record.mcloc = (struct sdr_record_mc_locator *) raw ;
+- snprintf(desc, (record.mcloc->id_code & 0x1f) +1, "%s",
+- (const char *)record.mcloc->id_string);
++ id_code = record.mcloc->id_code;
++ id_string = record.mcloc->id_string;
+ break;
++
+ default:
+ rc = -1;
+- break;
+- }
++ }
++ if (!rc) {
++ snprintf(desc, sizeof(desc), "%.*s", (id_code & 0x1f) + 1, id_string);
++ }
+
+- lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc);
++ lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc);
+ return rc;
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index 3c1cb0a..771ac8f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
+#0505-fix_CVE-2020-5208.patch
0120-openssl1.1.patch
0100-fix_buf_overflow.patch
0500-fix_CVE-2011-4339.patch
@@ -9,3 +10,9 @@
0130-Correct_lanplus_segment_violation.patch
0005-gcc10.patch
0010-utf8.patch
+CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch
+CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
+CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch
+CVE-2020-5208_4-channel-Fix-buffer-overflow.patch
+CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
+CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch
diff --git a/debian/systemd/ipmitool.ipmievd.service b/debian/systemd/ipmitool.ipmievd.service
index fdae14f..db30b27 100644
--- a/debian/systemd/ipmitool.ipmievd.service
+++ b/debian/systemd/ipmitool.ipmievd.service
@@ -1,5 +1,6 @@
[Unit]
Description=IPMI event daemon
+After=openipmi.service
[Service]
Type=forking
diff --git a/debian/tests/control b/debian/tests/control
deleted file mode 100644
index d601169..0000000
--- a/debian/tests/control
+++ /dev/null
@@ -1,4 +0,0 @@
-# smoke test
-Test-Command: ipmitool -V
-Depends: ipmitool
-Restrictions: superficial