Debian Patches

Status for ipmitool/1.8.18-10.1

Patch Description Author Forwarded Bugs Origin Last update
0120-openssl1.1.patch Migrate to openssl 1.1 Cherry-picked from upstream Jörg Frings-Fürst <debian@jff-webhosting.net> not-needed debian upstream upstream https://sourceforge.net/p/ipmitool/source/ci/1664902525a1c3771b4d8b3ccab7ea1ba6b2bdd1/ 2017-08-13
0100-fix_buf_overflow.patch fix buffer overflow based on 101_fix_buf_overflow from Leo Iannacone <l3on@ubuntu.com> Jörg Frings-Fürst <debian@jff-webhosting.net> yes upstream 2014-12-01
0500-fix_CVE-2011-4339.patch CVE-2011-4339 insecure file permission when creating PID files
based on 112_fix_CVE-2011-4339
Jörg Frings-Fürst <debian@jff-webhosting.net> yes upstream 2014-12-01
0600-manpage_longlines.patch long lines in man-page prevent "can't break line" warnings Jörg Frings-Fürst <debian@jff-webhosting.net> not-needed 2014-05-20
0110-getpass-prototype.patch use necessary source dialect to ensure getpass() availability getpass is a deprecated function, and building with either c99 or gnu99
does not ensure this function's availability. So instead, declare
_DEFAULT_SOURCE so that the function remains available.
Steve Langasek <steve.langasek@ubuntu.com> no debian upstream <upstream|backport|vendor|other>, <URL, required except if Author is present> 2016-05-15
0115-typo.patch source typos Jörg Frings-Fürst <debian@jff-webhosting.net> not-needed 2017-08-13
0125-nvidia-iana.patch Add IANA ID for NVIDIA hardware Add the NVIDIA IANA ID to the hardcoded list used in ipmitool <= 1.8.18.
After upstream commit "9d41136 ID:491 - Fetch vendor IDs from IANA", ipmitool
generates a list of vendor IDs dynamically at build time, so we can drop this
patch in future releases.
dann frazier <dannf@debian.org> not-needed debian backport 2018-07-11
0615-manpage_typo.patch typo in man-pages Jörg Frings-Fürst <debian@jff.email> no 2019-07-18
0130-Correct_lanplus_segment_violation.patch Fix lanplus segment violation for truncated response yes debian upstream upstream, https://github.com/pjdhpe/ipmitool/commit/815aae70cf8dc9f0e1ba1923fc4ec3cc16d0d2f1?diff=unified 2019-12-22
0005-gcc10.patch Fix ftbfs with gcc-10 Jörg Frings-Fürst <debian@jff.email> yes debian upstream 2020-07-28
0010-utf8.patch conv AUTHORS to UTF-8 Jörg Frings-Fürst <debian@jff.email> not-needed 2020-07-28
CVE-2020-5208_1_Fix_buffer_overflow_vulnerabilities.patch fru: Fix buffer overflow vulnerabilities Partial fix for CVE-2020-5208, see
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
.
The `read_fru_area_section` function only performs size validation of
requested read size, and falsely assumes that the IPMI message will not
respond with more than the requested amount of data; it uses the
unvalidated response size to copy into `frubuf`. If the response is
larger than the request, this can result in overflowing the buffer.
.
The same issue affects the `read_fru_area` function.

===================================================================
Chrostoper Ertl <chertl@microsoft.com> no 2019-11-28
CVE-2020-5208_2-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch [PATCH 2/6] fru: Fix buffer overflow in ipmi_spd_print_fru
Partial fix for CVE-2020-5208, see
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp

The `ipmi_spd_print_fru` function has a similar issue as the one fixed
by the previous commit in `read_fru_area_section`. An initial request is
made to get the `fru.size`, which is used as the size for the allocation
of `spd_data`. Inside a loop, further requests are performed to get the
copy sizes which are not checked before being used as the size for a
copy into the buffer.
Chrostoper Ertl <chertl@microsoft.com> no 2019-11-28
CVE-2020-5208_3-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch [PATCH 3/6] session: Fix buffer overflow in ipmi_get_session_info
Partial fix for CVE-2020-5208, see
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp

The `ipmi_get_session_info` function does not properly check the
response `data_len`, which is used as a copy size, allowing stack buffer
overflow.
Chrostoper Ertl <chertl@microsoft.com> no 2019-11-28
CVE-2020-5208_4-channel-Fix-buffer-overflow.patch [PATCH 4/6] channel: Fix buffer overflow Partial fix for CVE-2020-5208, see
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
.
The `ipmi_get_channel_cipher_suites` function does not properly check
the final response’s `data_len`, which can lead to stack buffer overflow
on the final copy.
From 9452be87181a6e83cfcc768b3ed8321763db50e4 Mon Sep 17 00:00:00 2001
Chrostoper Ertl <chertl@microsoft.com> no 2021-02-08
CVE-2020-5208_5_lanp-Fix-buffer-overflows-in-get_lan_param_select.patch [PATCH 5/6] lanp: Fix buffer overflows in get_lan_param_select
Partial fix for CVE-2020-5208, see
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp

The `get_lan_param_select` function is missing a validation check on the
response’s `data_len`, which it then returns to caller functions, where
stack buffer overflow can occur.
Chrostoper Ertl <chertl@microsoft.com> no 2019-11-28
CVE-2020-5208_6-fru-sdr-Fix-id_string-buffer-overflows.patch [PATCH 6/6] fru, sdr: Fix id_string buffer overflows
Final part of the fixes for CVE-2020-5208, see
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp

9 variants of stack buffer overflow when parsing `id_string` field of
SDR records returned from `CMD_GET_SDR` command.

SDR record structs have an `id_code` field, and an `id_string` `char`
array.

The length of `id_string` is calculated as `(id_code & 0x1f) + 1`,
which can be larger than expected 16 characters (if `id_code = 0xff`,
then length will be `(0xff & 0x1f) + 1 = 32`).

In numerous places, this can cause stack buffer overflow when copying
into fixed buffer of size `17` bytes from this calculated length.
Chrostoper Ertl <chertl@microsoft.com> no 2019-11-28

All known versions for source package 'ipmitool'

Links