rpms/scsi-target-utils/devel scsi-target-utils-fix-isns-of.patch, NONE, 1.1 scsi-target-utils-snprintf-fix.patch, NONE, 1.1 scsi-target-utils.spec, 1.16, 1.17
Mike Christie
michaelc at fedoraproject.org
Thu Jul 1 17:21:20 UTC 2010
Author: michaelc
Update of /cvs/pkgs/rpms/scsi-target-utils/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv20801
Modified Files:
scsi-target-utils.spec
Added Files:
scsi-target-utils-fix-isns-of.patch
scsi-target-utils-snprintf-fix.patch
Log Message:
Fix iSNS scn pdu overflows (CVE-2010-2221)
scsi-target-utils-fix-isns-of.patch:
isns.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
--- NEW FILE scsi-target-utils-fix-isns-of.patch ---
diff -aurp tgt-20091205/usr/iscsi/isns.c tgt-20091205.work/usr/iscsi/isns.c
--- tgt-20091205/usr/iscsi/isns.c 2010-06-27 22:46:36.000000000 -0500
+++ tgt-20091205.work/usr/iscsi/isns.c 2010-06-28 16:43:04.000000000 -0500
@@ -604,17 +604,23 @@ static char *print_scn_pdu(struct isns_h
struct isns_tlv *tlv = (struct isns_tlv *) hdr->pdu;
uint16_t function, length, flags, transaction, sequence;
char *name = NULL;
+ static char iscsi_name[224];
get_hdr_param(hdr, function, length, flags, transaction, sequence);
while (length) {
uint32_t vlen = ntohl(tlv->length);
+ if (vlen + sizeof(*tlv) > length)
+ vlen = length - sizeof(*tlv);
+
switch (ntohl(tlv->tag)) {
case ISNS_ATTR_ISCSI_NAME:
eprintf("scn name: %u, %s\n", vlen, (char *) tlv->value);
- if (!name)
- name = (char *) tlv->value;
+ if (!name) {
+ snprintf(iscsi_name, sizeof(iscsi_name), (char *)tlv->value);
+ name = iscsi_name;
+ }
break;
case ISNS_ATTR_TIMESTAMP:
/* log_error("%u : %u : %" PRIx64, ntohl(tlv->tag), vlen, */
@@ -675,11 +681,17 @@ found:
/* skip status */
tlv = (struct isns_tlv *) ((char *) hdr->pdu + 4);
+
+ if (length < 4)
+ goto free_qry_mgmt;
length -= 4;
while (length) {
uint32_t vlen = ntohl(tlv->length);
+ if (vlen + sizeof(*tlv) > length)
+ vlen = length - sizeof(*tlv);
+
switch (ntohl(tlv->tag)) {
case ISNS_ATTR_ISCSI_NAME:
name = (char *) tlv->value;
scsi-target-utils-snprintf-fix.patch:
isns.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- NEW FILE scsi-target-utils-snprintf-fix.patch ---
--- tgt-1.0.1/usr/iscsi/isns.c.org 2010-03-22 17:18:59.788314323 -0600
+++ tgt-1.0.1/usr/iscsi/isns.c 2010-03-22 17:19:30.833004428 -0600
@@ -316,7 +316,7 @@ static int isns_attr_query(char *name)
tlv = (struct isns_tlv *) hdr->pdu;
if (name)
- snprintf(mgmt->name, sizeof(mgmt->name), name);
+ snprintf(mgmt->name, sizeof(mgmt->name), "%s", name);
else {
mgmt->name[0] = '\0';
target = list_first_entry(&iscsi_targets_list,
@@ -690,7 +690,7 @@ found:
ini = malloc(sizeof(*ini));
if (!ini)
goto free_qry_mgmt;
- snprintf(ini->name, sizeof(ini->name), name);
+ snprintf(ini->name, sizeof(ini->name), "%s", name);
list_add(&ini->ilist, &target->isns_list);
} else
name = NULL;
Index: scsi-target-utils.spec
===================================================================
RCS file: /cvs/pkgs/rpms/scsi-target-utils/devel/scsi-target-utils.spec,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -p -r1.16 -r1.17
--- scsi-target-utils.spec 14 Feb 2010 22:43:08 -0000 1.16
+++ scsi-target-utils.spec 1 Jul 2010 17:21:20 -0000 1.17
@@ -1,6 +1,6 @@
Name: scsi-target-utils
Version: 1.0.1
-Release: 2%{?dist}
+Release: 4%{?dist}
Summary: The SCSI target daemon and utility programs
Group: System Environment/Daemons
@@ -13,6 +13,8 @@ Source3: targets.conf
Patch0: scsi-target-utils-redhatify-docs.patch
Patch1: scsi-target-utils-dynamic-link-iser.patch
Patch2: scsi-target-utils-hack-check-for-eventfd.patch
+Patch3: scsi-target-utils-snprintf-fix.patch
+Patch4: scsi-target-utils-fix-isns-of.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -31,7 +33,8 @@ Currently, software iSCSI targets are su
%patch0 -p1 -b .redhatify-docs
%patch1 -p1 -b .dynamic-link-iser
%patch2 -p1 -b .hack-check-for-eventfd
-
+%patch3 -p1 -b .snprintf-fix
+%patch4 -p1 -b .fix-isns-of
%build
pushd usr
@@ -95,6 +98,12 @@ fi
%changelog
+* Tue Jun 29 2010 Mike Christie <mchristie at redhat.com> - 1.0.1-4
+- Fix iSNS scn pdu overflows (CVE-2010-2221).
+
+* Thu Apr 8 2010 Mike Christie <mchristi at redhat.com> - 1.0.1-3
+- Fix format string vulnerability (CVE-2010-0743)
+
* Sun Feb 14 2010 Terje Rosten <terje.rosten at ntnu.no> - 1.0.1-2
- Update iser patch to build with new link rules
- Fix optflags
More information about the scm-commits
mailing list