Ubuntu
tftp-hpa package

buffer overflow in tftp

Bug #691345 reported by Dustin Kirkland 
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
netkit-tftp (Ubuntu)
Fix Released
Medium
Kees Cook
Natty
Fix Released
Medium
Kees Cook
tftp-hpa (Ubuntu)
Fix Released
Medium
Kees Cook
Natty
Fix Released
Medium
Kees Cook

Bug Description

Binary package hint: tftp-hpa

I'm getting a buffer overflow from tftp in both tftp-hpa and tfp packages in Natty. I'll attach each below.

Looks like something exposed by Natty's updated toolchain, as I'm not seeing this error in Maverick or Lucid.
---
Architecture: amd64
DistroRelease: Ubuntu 11.04
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Alpha amd64 (20101202)
Package: tftp-hpa 5.0-18ubuntu1
PackageArchitecture: amd64
ProcEnviron:
 LANGUAGE=en_US:en
 PATH=(custom, user)
 LANG=en_US.UTF-8
 LC_MESSAGES=en_US.utf8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.37-9.23-generic 2.6.37-rc5
Tags: natty
Uname: Linux 2.6.37-9-generic x86_64
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

kirkland@x201:~$ tftp dalmation
tftp> get cpuinfo
*** buffer overflow detected ***: tftp terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7f5079977557]
/lib/libc.so.6(+0xfe410)[0x7f5079976410]
tftp[0x4015f1]
tftp[0x402065]
tftp[0x4036c9]
/lib/libc.so.6(__libc_start_main+0xfe)[0x7f5079896d8e]
tftp[0x4014d9]
======= Memory map: ========
00400000-00406000 r-xp 00000000 08:01 6297104 /usr/bin/tftp
00605000-00606000 r--p 00005000 08:01 6297104 /usr/bin/tftp
00606000-00607000 rw-p 00006000 08:01 6297104 /usr/bin/tftp
00607000-00627000 rw-p 00000000 00:00 0
0174d000-0176e000 rw-p 00000000 00:00 0 [heap]
7f5078e33000-7f5078e48000 r-xp 00000000 08:01 3932219 /lib/libgcc_s.so.1
7f5078e48000-7f5079047000 ---p 00015000 08:01 3932219 /lib/libgcc_s.so.1
7f5079047000-7f5079048000 r--p 00014000 08:01 3932219 /lib/libgcc_s.so.1
7f5079048000-7f5079049000 rw-p 00015000 08:01 3932219 /lib/libgcc_s.so.1
7f5079049000-7f507905f000 r-xp 00000000 08:01 3932328 /lib/libresolv-2.12.1.so
7f507905f000-7f507925e000 ---p 00016000 08:01 3932328 /lib/libresolv-2.12.1.so
7f507925e000-7f507925f000 r--p 00015000 08:01 3932328 /lib/libresolv-2.12.1.so
7f507925f000-7f5079260000 rw-p 00016000 08:01 3932328 /lib/libresolv-2.12.1.so
7f5079260000-7f5079262000 rw-p 00000000 00:00 0
7f5079262000-7f5079267000 r-xp 00000000 08:01 3932280 /lib/libnss_dns-2.12.1.so
7f5079267000-7f5079466000 ---p 00005000 08:01 3932280 /lib/libnss_dns-2.12.1.so
7f5079466000-7f5079467000 r--p 00004000 08:01 3932280 /lib/libnss_dns-2.12.1.so
7f5079467000-7f5079468000 rw-p 00005000 08:01 3932280 /lib/libnss_dns-2.12.1.so
7f5079468000-7f507946a000 r-xp 00000000 08:01 3932288 /lib/libnss_mdns4_minimal.so.2
7f507946a000-7f5079669000 ---p 00002000 08:01 3932288 /lib/libnss_mdns4_minimal.so.2
7f5079669000-7f507966a000 r--p 00001000 08:01 3932288 /lib/libnss_mdns4_minimal.so.2
7f507966a000-7f507966b000 rw-p 00002000 08:01 3932288 /lib/libnss_mdns4_minimal.so.2
7f507966b000-7f5079677000 r-xp 00000000 08:01 3932282 /lib/libnss_files-2.12.1.so
7f5079677000-7f5079876000 ---p 0000c000 08:01 3932282 /lib/libnss_files-2.12.1.so
7f5079876000-7f5079877000 r--p 0000b000 08:01 3932282 /lib/libnss_files-2.12.1.so
7f5079877000-7f5079878000 rw-p 0000c000 08:01 3932282 /lib/libnss_files-2.12.1.so
7f5079878000-7f50799f2000 r-xp 00000000 08:01 3932207 /lib/libc-2.12.1.so
7f50799f2000-7f5079bf1000 ---p 0017a000 08:01 3932207 /lib/libc-2.12.1.so
7f5079bf1000-7f5079bf5000 r--p 00179000 08:01 3932207 /lib/libc-2.12.1.so
7f5079bf5000-7f5079bf6000 rw-p 0017d000 08:01 3932207 /lib/libc-2.12.1.so
7f5079bf6000-7f5079bfb000 rw-p 00000000 00:00 0
7f5079bfb000-7f5079c1b000 r-xp 00000000 08:01 3932183 /lib/ld-2.12.1.so
7f5079df8000-7f5079dfb000 rw-p 00000000 00:00 0
7f5079e16000-7f5079e1b000 rw-p 00000000 00:00 0
7f5079e1b000-7f5079e1c000 r--p 00020000 08:01 3932183 /lib/ld-2.12.1.so
7f5079e1c000-7f5079e1d000 rw-p 00021000 08:01 3932183 /lib/ld-2.12.1.so
7f5079e1d000-7f5079e1e000 rw-p 00000000 00:00 0
7fffbc9fb000-7fffbca1d000 rw-p 00000000 00:00 0 [stack]
7fffbcbcf000-7fffbcbd0000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted

See original description
Revision history for this message
Dustin Kirkland  (kirkland) wrote : Dependencies.txt

apport information

tags: added: apport-collected
description: updated
Revision history for this message
Dustin Kirkland  (kirkland) wrote : Re: buffer overflow

Crashes attached.

summary: - buffer overflow
+ buffer overflow in tftp
description: updated
Kees Cook (kees)
Changed in tftp-hpa (Ubuntu):
status: New → Fix Committed
assignee: nobody → Kees Cook (kees)
importance: Undecided → Medium
Changed in netkit-tftp (Ubuntu):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tftp-hpa - 5.0-18ubuntu2

---------------
tftp-hpa (5.0-18ubuntu2) natty; urgency=low

  * debian/patches/04-use-memcpy-for-header.patch: fix FORTIFY-detected
    potential memory corruption (LP: #691345).
 -- Kees Cook <email address hidden> Thu, 16 Dec 2010 17:44:44 -0800

Changed in tftp-hpa (Ubuntu Natty):
status: Fix Committed → Fix Released
Kees Cook (kees)
Changed in netkit-tftp (Ubuntu Natty):
status: Confirmed → Fix Committed
assignee: nobody → Kees Cook (kees)
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netkit-tftp - 0.17-18ubuntu2

---------------
netkit-tftp (0.17-18ubuntu2) natty; urgency=low

  * tftp/tftp.c: fix FORTIFY-detected potential memory corruption
    (LP: #691345).
 -- Kees Cook <email address hidden> Thu, 16 Dec 2010 18:14:49 -0800

Changed in netkit-tftp (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.