Bug 1799040

Summary: CVE-2020-5208 ipmitool: Buffer overflow in read_fru_area_section function in lib/ipmi_fru.c
Product: Red Hat Enterprise Linux 7 Reporter: Vaclav Dolezal <vdolezal>
Component: ipmitoolAssignee: Vaclav Dolezal <vdolezal>
Status: CLOSED CURRENTRELEASE QA Contact: Rachel Sibley <rasibley>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.7CC: jridky, jsafrane, ovasik, psampaio, rvr, security-response-team, vdolezal
Target Milestone: rcKeywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: CVE-2020-5208 Environment:
Last Closed: 2020-04-09 09:46:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1798721    
Bug Blocks:    
Attachments:
Description Flags
Replacement for upstream commit 9452be8
none
The rest of patches none

Description Vaclav Dolezal 2020-02-06 13:58:48 UTC 
+++ This bug was initially created as a clone of Bug #1798721 +++

It's been found that multiple functions in ipmitool before 1.8.19 neglect proper checking of the data received from a remote LAN party, which may lead to buffer overflows and potentially to remote code execution on the ipmitool side. This is especially dangerous if ipmitool is run as a privileged user. This problem is fixed in version 1.8.19.

Upstream patch:

https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2

References:

https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp

--- Additional comment from Pedro Sampaio on 2020-02-05 21:01:57 UTC ---

Created ipmitool tracking bugs for this issue:

Affects: fedora-all [bug 1798722]
Comment 2 Vaclav Dolezal 2020-02-13 10:46:35 UTC 
Created attachment 1662925 [details]
Replacement for upstream commit 9452be8
Comment 5 Vaclav Dolezal 2020-02-28 14:37:58 UTC 
Created attachment 1666398 [details]
The rest of patches
Comment 6 Vaclav Dolezal 2020-04-09 09:46:36 UTC 
Closing as fix should propagate from RHEL 7.8 and 7.7.z