Bug 1816

Summary: TFTP Client x64: Buffer overflow on file putting
Product: Mageia Reporter: Luzemário Dantas <luzemario>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, lists.jjorge, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: tftp-5.0-6.mga1.x86_64 CVE:
Status comment:

Description Luzemário Dantas 2011-06-16 03:07:57 CEST 
Description of problem:

When trying to put a file onto server, a buffer overflow occours.


Version-Release number of selected component (if applicable): tftp-5.0-6 x64


How reproducible:
Every time.


Steps to Reproduce:
1.Install tftp package with urpmi on x64 platform: "urpmi tftp"
2.Run tftp program, i.e. "tftp"
3.Set mode to binary: "mode binary"
4.Try to put some file onto server (i.e. I tried to put a Edimax router image file onto router): "put EdiEngEW7209APg_1.28.bin"

The tftp program aborts itself as follows:

[root@acer Edimax]# tftp -m binary 192.168.1.6 -c put EdiEngEW7209APg_1.28.bin 
*** buffer overflow detected ***: tftp terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7fdc14f65b27]
/lib64/libc.so.6(+0xeda80)[0x7fdc14f63a80]
tftp[0x401611]
tftp[0x401bf7]
tftp[0x403f74]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x7fdc14e94c3d]
tftp[0x401489]
======= Memory map: ========
00400000-00407000 r-xp 00000000 08:06 31047                              /usr/bin/tftp
00606000-00607000 rw-p 00006000 08:06 31047                              /usr/bin/tftp
00607000-00627000 rw-p 00000000 00:00 0 
01327000-01348000 rw-p 00000000 00:00 0                                  [heap]
7fdc14c61000-7fdc14c76000 r-xp 00000000 08:06 520317                     /lib64/libgcc_s-4.5.2.so.1
7fdc14c76000-7fdc14e75000 ---p 00015000 08:06 520317                     /lib64/libgcc_s-4.5.2.so.1
7fdc14e75000-7fdc14e76000 rw-p 00014000 08:06 520317                     /lib64/libgcc_s-4.5.2.so.1
7fdc14e76000-7fdc14fde000 r-xp 00000000 08:06 520210                     /lib64/libc-2.12.1.so
7fdc14fde000-7fdc151dd000 ---p 00168000 08:06 520210                     /lib64/libc-2.12.1.so
7fdc151dd000-7fdc151e1000 r--p 00167000 08:06 520210                     /lib64/libc-2.12.1.so
7fdc151e1000-7fdc151e2000 rw-p 0016b000 08:06 520210                     /lib64/libc-2.12.1.so
7fdc151e2000-7fdc151e7000 rw-p 00000000 00:00 0 
7fdc151e7000-7fdc15204000 r-xp 00000000 08:06 520203                     /lib64/ld-2.12.1.so
7fdc153b1000-7fdc153e6000 r--s 00000000 08:06 666808                     /var/db/nscd/services
7fdc153e6000-7fdc153e9000 rw-p 00000000 00:00 0 
7fdc15401000-7fdc15403000 rw-p 00000000 00:00 0 
7fdc15403000-7fdc15404000 r--p 0001c000 08:06 520203                     /lib64/ld-2.12.1.so
7fdc15404000-7fdc15405000 rw-p 0001d000 08:06 520203                     /lib64/ld-2.12.1.so
7fdc15405000-7fdc15406000 rw-p 00000000 00:00 0 
7fff843d1000-7fff843f2000 rw-p 00000000 00:00 0                          [stack]
7fff843ff000-7fff84400000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Abortado
José Jorge 2011-10-17 14:04:46 CEST

CC: (none) => lists.jjorge
Assignee: bugsquad => lists.jjorge

Comment 1 José Jorge 2011-10-17 14:09:32 CEST 
Fedora has a patch to fix that, I am applying it.
José Jorge 2011-10-17 14:09:44 CEST

Status: NEW => ASSIGNED

Comment 2 José Jorge 2011-10-17 17:56:37 CEST 
5.1 version in Cauldron fixes that.
5.0 version in Mageia 1 has the same problem, so I only applied the patch.

Qa Team, please test with this command :

tftp -m binary localhost -c put one_file

It should not crash anymore with tftp-5.0-7.1.
José Jorge 2011-10-17 17:56:47 CEST

Assignee: lists.jjorge => qa-bugs

Comment 3 Dave Hodgins 2011-10-17 22:42:51 CEST 
Testing complete on i586 for the srpm
tftp-5.0-7.1.mga1.src.rpm

I confirmed that the core release version crashed with a buffer overflow.

I also installed tftp-server, and added "-c -p" to the options in
/etc/xinetd.d/tftp. (restart the service xinetd after changing),
I also changed the owner of the /var/lib/tftpboot directory to
nobody, so that the server could write to it.

Note that the tftp-server will normally only be used to provide
files, in it's default configuration, so these are not config
problems for the server.

Before the server was set up, the tftp command would timeout.

With it installed/setup, the upload works.

CC: (none) => davidwhodgins

Comment 4 claire robinson 2011-10-18 16:34:20 CEST 
Tested OK x86_64 using Dave's procedure.

Update validated

Advisory
-----------------
This update to tftp corrects a crash due to a buffer overflow when putting a binary file onto a server.

Mageia Bug: https://bugs.mageia.org/show_bug.cgi?id=1816

-----------------

SRPM: tftp-5.0-7.1.mga1.src.rpm    

Could sysadmin please push from core/updates testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

claire robinson 2011-10-18 16:34:30 CEST

Hardware: x86_64 => All

claire robinson 2011-10-18 16:34:40 CEST

Version: Cauldron => 1

Comment 5 Thomas Backlund 2011-10-19 23:01:45 CEST 
Update pushed.

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED