buffer overflow in tftp

Bug #691345 reported by Dustin Kirkland  on 2010-12-16
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
netkit-tftp (Ubuntu)
Medium
Kees Cook
Natty
Medium
Kees Cook
tftp-hpa (Ubuntu)
Medium
Kees Cook
Natty
Medium
Kees Cook

Bug Description

Binary package hint: tftp-hpa

I'm getting a buffer overflow from tftp in both tftp-hpa and tfp packages in Natty. I'll attach each below.

Looks like something exposed by Natty's updated toolchain, as I'm not seeing this error in Maverick or Lucid.
---
Architecture: amd64
DistroRelease: Ubuntu 11.04
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Alpha amd64 (20101202)
Package: tftp-hpa 5.0-18ubuntu1
PackageArchitecture: amd64
ProcEnviron:
 LANGUAGE=en_US:en
 PATH=(custom, user)
 LANG=en_US.UTF-8
 LC_MESSAGES=en_US.utf8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.37-9.23-generic 2.6.37-rc5
Tags: natty
Uname: Linux 2.6.37-9-generic x86_64
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

kirkland@x201:~$ tftp dalmation
tftp> get cpuinfo
*** buffer overflow detected ***: tftp terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7f5079977557]
/lib/libc.so.6(+0xfe410)[0x7f5079976410]
tftp[0x4015f1]
tftp[0x402065]
tftp[0x4036c9]
/lib/libc.so.6(__libc_start_main+0xfe)[0x7f5079896d8e]
tftp[0x4014d9]
======= Memory map: ========
00400000-00406000 r-xp 00000000 08:01 6297104 /usr/bin/tftp
00605000-00606000 r--p 00005000 08:01 6297104 /usr/bin/tftp
00606000-00607000 rw-p 00006000 08:01 6297104 /usr/bin/tftp
00607000-00627000 rw-p 00000000 00:00 0
0174d000-0176e000 rw-p 00000000 00:00 0 [heap]
7f5078e33000-7f5078e48000 r-xp 00000000 08:01 3932219 /lib/libgcc_s.so.1
7f5078e48000-7f5079047000 ---p 00015000 08:01 3932219 /lib/libgcc_s.so.1
7f5079047000-7f5079048000 r--p 00014000 08:01 3932219 /lib/libgcc_s.so.1
7f5079048000-7f5079049000 rw-p 00015000 08:01 3932219 /lib/libgcc_s.so.1
7f5079049000-7f507905f000 r-xp 00000000 08:01 3932328 /lib/libresolv-2.12.1.so
7f507905f000-7f507925e000 ---p 00016000 08:01 3932328 /lib/libresolv-2.12.1.so
7f507925e000-7f507925f000 r--p 00015000 08:01 3932328 /lib/libresolv-2.12.1.so
7f507925f000-7f5079260000 rw-p 00016000 08:01 3932328 /lib/libresolv-2.12.1.so
7f5079260000-7f5079262000 rw-p 00000000 00:00 0
7f5079262000-7f5079267000 r-xp 00000000 08:01 3932280 /lib/libnss_dns-2.12.1.so
7f5079267000-7f5079466000 ---p 00005000 08:01 3932280 /lib/libnss_dns-2.12.1.so
7f5079466000-7f5079467000 r--p 00004000 08:01 3932280 /lib/libnss_dns-2.12.1.so
7f5079467000-7f5079468000 rw-p 00005000 08:01 3932280 /lib/libnss_dns-2.12.1.so
7f5079468000-7f507946a000 r-xp 00000000 08:01 3932288 /lib/libnss_mdns4_minimal.so.2
7f507946a000-7f5079669000 ---p 00002000 08:01 3932288 /lib/libnss_mdns4_minimal.so.2
7f5079669000-7f507966a000 r--p 00001000 08:01 3932288 /lib/libnss_mdns4_minimal.so.2
7f507966a000-7f507966b000 rw-p 00002000 08:01 3932288 /lib/libnss_mdns4_minimal.so.2
7f507966b000-7f5079677000 r-xp 00000000 08:01 3932282 /lib/libnss_files-2.12.1.so
7f5079677000-7f5079876000 ---p 0000c000 08:01 3932282 /lib/libnss_files-2.12.1.so
7f5079876000-7f5079877000 r--p 0000b000 08:01 3932282 /lib/libnss_files-2.12.1.so
7f5079877000-7f5079878000 rw-p 0000c000 08:01 3932282 /lib/libnss_files-2.12.1.so
7f5079878000-7f50799f2000 r-xp 00000000 08:01 3932207 /lib/libc-2.12.1.so
7f50799f2000-7f5079bf1000 ---p 0017a000 08:01 3932207 /lib/libc-2.12.1.so
7f5079bf1000-7f5079bf5000 r--p 00179000 08:01 3932207 /lib/libc-2.12.1.so
7f5079bf5000-7f5079bf6000 rw-p 0017d000 08:01 3932207 /lib/libc-2.12.1.so
7f5079bf6000-7f5079bfb000 rw-p 00000000 00:00 0
7f5079bfb000-7f5079c1b000 r-xp 00000000 08:01 3932183 /lib/ld-2.12.1.so
7f5079df8000-7f5079dfb000 rw-p 00000000 00:00 0
7f5079e16000-7f5079e1b000 rw-p 00000000 00:00 0
7f5079e1b000-7f5079e1c000 r--p 00020000 08:01 3932183 /lib/ld-2.12.1.so
7f5079e1c000-7f5079e1d000 rw-p 00021000 08:01 3932183 /lib/ld-2.12.1.so
7f5079e1d000-7f5079e1e000 rw-p 00000000 00:00 0
7fffbc9fb000-7fffbca1d000 rw-p 00000000 00:00 0 [stack]
7fffbcbcf000-7fffbcbd0000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted

apport information

tags: added: apport-collected
description: updated

Crashes attached.

summary: - buffer overflow
+ buffer overflow in tftp
description: updated
Kees Cook (kees) on 2010-12-17
Changed in tftp-hpa (Ubuntu):
status: New → Fix Committed
assignee: nobody → Kees Cook (kees)
importance: Undecided → Medium
Changed in netkit-tftp (Ubuntu):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tftp-hpa - 5.0-18ubuntu2

---------------
tftp-hpa (5.0-18ubuntu2) natty; urgency=low

  * debian/patches/04-use-memcpy-for-header.patch: fix FORTIFY-detected
    potential memory corruption (LP: #691345).
 -- Kees Cook <email address hidden> Thu, 16 Dec 2010 17:44:44 -0800

Changed in tftp-hpa (Ubuntu Natty):
status: Fix Committed → Fix Released
Kees Cook (kees) on 2010-12-17
Changed in netkit-tftp (Ubuntu Natty):
status: Confirmed → Fix Committed
assignee: nobody → Kees Cook (kees)
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netkit-tftp - 0.17-18ubuntu2

---------------
netkit-tftp (0.17-18ubuntu2) natty; urgency=low

  * tftp/tftp.c: fix FORTIFY-detected potential memory corruption
    (LP: #691345).
 -- Kees Cook <email address hidden> Thu, 16 Dec 2010 18:14:49 -0800

Changed in netkit-tftp (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers