Bug 714240

Summary: tftp: utimeout option parsing buffer overflow
Product: Red Hat Enterprise Linux 6 Reporter: Tomas Hoger <thoger>
Component: tftpAssignee: Jiri Skala <jskala>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: low    
Version: 6.1CC: aglotov, mmcallis, mvadkert, ovasik, pkovar, thoger
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
The tftpd daemon did not correctly handle the utimeout option value. If a client specified a utimeout value within the permitted range, it caused the tftpd process to crash. This crash only affected the current tftp request.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-10 09:34:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 713950    

Description Tomas Hoger 2011-06-17 16:52:51 UTC 
Description of problem:
There is a buffer overflow in the tftp's utimeout option parsing code - see bug #713950.  This overflow has no security impact, as it's caught be FORTIFY_SOURCE.  However, it makes utimeout option unusable.  set_utimeout() checks that option value is >= 10000UL and <= 255000000UL.  All values in that range trigger the overflow.

Version-Release number of selected component (if applicable):
tftp-0.49-5.1.el6
Comment 4 RHEL Program Management 2011-07-05 23:45:33 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 17 Petr Kovar 2011-08-04 12:23:08 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The tftpd daemon did not correctly handle the "utimeout" option value. If a client specified a "utimeout" value larger than 1000UL, it caused the tftpd process to crash. This crash only affected the current tftp request.
Comment 19 Petr Kovar 2011-08-04 13:20:30 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-The tftpd daemon did not correctly handle the "utimeout" option value. If a client specified a "utimeout" value larger than 1000UL, it caused the tftpd process to crash. This crash only affected the current tftp request.+The tftpd daemon did not correctly handle the utimeout option value. If a client specified a utimeout value within the permitted range, it caused the tftpd process to crash. This crash only affected the current tftp request.
Comment 21 errata-xmlrpc 2011-08-10 09:34:59 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1133.html