From 91fa5b424d959e3574fe05acdd2bdb1d68bd95c0 Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Sun, 10 Nov 2024 16:46:38 -0800 Subject: [PATCH] ipmitool: update to 1.8.19 Remove all patches as they are upstreamed. Switch upstream as it moved. Need autoreconf now. Add PKG_INSTALL and PKG_BUILD_PARALLEL for consistency between pachages. Signed-off-by: Rosen Penev --- admin/ipmitool/Makefile | 23 ++- ....1-compatibility-error-storage-size-.patch | 99 ------------- ...iler-happier-about-changes-related-t.patch | 31 ---- ...ool-coredumps-in-EVP_CIPHER_CTX_init.patch | 48 ------ ...CIPHER_CTX_free-instead-of-EVP_CIPHE.patch | 139 ------------------ ...ompile-with-deprecated-APIs-disabled.patch | 42 ------ ...-Fix-buffer-overflow-vulnerabilities.patch | 123 ---------------- ...uffer-overflow-in-ipmi_spd_print_fru.patch | 43 ------ ...er-overflow-in-ipmi_get_session_info.patch | 43 ------ ...020-5208-channel-Fix-buffer-overflow.patch | 32 ---- ...er-overflows-in-get_lan_param_select.patch | 83 ----------- ...u-sdr-Fix-id_string-buffer-overflows.patch | 130 ---------------- admin/ipmitool/patches/0012-gcc10.patch | 33 ----- 13 files changed, 15 insertions(+), 854 deletions(-) delete mode 100644 admin/ipmitool/patches/0001-ID-461-OpenSSL-1.1-compatibility-error-storage-size-.patch delete mode 100644 admin/ipmitool/patches/0002-ID-461-Make-compiler-happier-about-changes-related-t.patch delete mode 100644 admin/ipmitool/patches/0003-ID-480-ipmitool-coredumps-in-EVP_CIPHER_CTX_init.patch delete mode 100644 admin/ipmitool/patches/0004-ID-480-Call-EVP_CIPHER_CTX_free-instead-of-EVP_CIPHE.patch delete mode 100644 admin/ipmitool/patches/0005-ipmitool-Fix-compile-with-deprecated-APIs-disabled.patch delete mode 100644 admin/ipmitool/patches/0006-CVE-2020-5208-fru-Fix-buffer-overflow-vulnerabilities.patch delete mode 100644 admin/ipmitool/patches/0007-CVE-2020-5208-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch delete mode 100644 admin/ipmitool/patches/0008-CVE-2020-5208-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch delete mode 100644 admin/ipmitool/patches/0009-CVE-2020-5208-channel-Fix-buffer-overflow.patch delete mode 100644 admin/ipmitool/patches/0010-CVE-2020-5208-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch delete mode 100644 admin/ipmitool/patches/0011-CVE-2020-5208-fru-sdr-Fix-id_string-buffer-overflows.patch delete mode 100644 admin/ipmitool/patches/0012-gcc10.patch diff --git a/admin/ipmitool/Makefile b/admin/ipmitool/Makefile index 1fc6dfec54..c00f4e368d 100644 --- a/admin/ipmitool/Makefile +++ b/admin/ipmitool/Makefile @@ -8,16 +8,23 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ipmitool -PKG_VERSION:=1.8.18 -PKG_RELEASE:=5 +PKG_VERSION:=1.8.19 +PKG_RELEASE:=1 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 -PKG_SOURCE_URL:=@SF/$(PKG_NAME) -PKG_HASH:=0c1ba3b1555edefb7c32ae8cd6a3e04322056bc087918f07189eeedfc8b81e01 +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://codeberg.org/IPMITool/ipmitool +PKG_SOURCE_VERSION:=IPMITOOL_$(subst .,_,$(PKG_VERSION)) +PKG_MIRROR_HASH:=a3f0d3510fc47cbfd752f58084a72a09d0d5b23113bd87bf78ee32e74adcb4bc + +PKG_MAINTAINER:=Alexander Couzens PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=COPYING PKG_CPE_ID:=cpe:/a:ipmitool_project:ipmitool +PKG_FIXUP=autoreconf +PKG_INSTALL:=1 +PKG_BUILD_PARALLEL:=1 + include $(INCLUDE_DIR)/package.mk define Package/ipmitool @@ -26,7 +33,6 @@ define Package/ipmitool DEPENDS:=+libopenssl +libncurses +libreadline TITLE:=Command-line interface to IPMI-enabled devices URL:=https://github.com/ipmitool/ipmitool - MAINTAINER:=Alexander Couzens endef define Package/ipmitool/Default/description @@ -34,9 +40,10 @@ define Package/ipmitool/Default/description endef define Package/ipmitool/install + $(INSTALL_DIR) $(1)/usr/bin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/ipmitool $(1)/usr/bin/ $(INSTALL_DIR) $(1)/usr/sbin/ - $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ipmievd $(1)/usr/sbin/ - $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ipmitool $(1)/usr/sbin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipmievd $(1)/usr/sbin/ endef CONFIGURE_ARGS += \ diff --git a/admin/ipmitool/patches/0001-ID-461-OpenSSL-1.1-compatibility-error-storage-size-.patch b/admin/ipmitool/patches/0001-ID-461-OpenSSL-1.1-compatibility-error-storage-size-.patch deleted file mode 100644 index 582e17d433..0000000000 --- a/admin/ipmitool/patches/0001-ID-461-OpenSSL-1.1-compatibility-error-storage-size-.patch +++ /dev/null @@ -1,99 +0,0 @@ -From b57487e360916ab3eaa50aa6d021c73b6337a4a0 Mon Sep 17 00:00:00 2001 -From: Dennis Schridde -Date: Wed, 30 Nov 2016 17:33:00 +0100 -Subject: [PATCH 1/4] ID:461 - OpenSSL 1.1 compatibility - "error: storage size - of 'ctx' isn't known" - -In OpenSSL 1.1 EVP_CIPHER_CTX became opaque, cf. `man 3ssl EVP_EncryptInit` - -Fixes: ID:461 ---- - src/plugins/lanplus/lanplus_crypt_impl.c | 28 ++++++++++++++-------------- - 1 file changed, 14 insertions(+), 14 deletions(-) - ---- a/src/plugins/lanplus/lanplus_crypt_impl.c -+++ b/src/plugins/lanplus/lanplus_crypt_impl.c -@@ -164,10 +164,10 @@ lanplus_encrypt_aes_cbc_128(const uint8_ - uint8_t * output, - uint32_t * bytes_written) - { -- EVP_CIPHER_CTX ctx; -- EVP_CIPHER_CTX_init(&ctx); -- EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key, iv); -- EVP_CIPHER_CTX_set_padding(&ctx, 0); -+ EVP_CIPHER_CTX* ctx; -+ EVP_CIPHER_CTX_init(ctx); -+ EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv); -+ EVP_CIPHER_CTX_set_padding(ctx, 0); - - - *bytes_written = 0; -@@ -191,7 +191,7 @@ lanplus_encrypt_aes_cbc_128(const uint8_ - assert((input_length % IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE) == 0); - - -- if(!EVP_EncryptUpdate(&ctx, output, (int *)bytes_written, input, input_length)) -+ if(!EVP_EncryptUpdate(ctx, output, (int *)bytes_written, input, input_length)) - { - /* Error */ - *bytes_written = 0; -@@ -201,7 +201,7 @@ lanplus_encrypt_aes_cbc_128(const uint8_ - { - uint32_t tmplen; - -- if(!EVP_EncryptFinal_ex(&ctx, output + *bytes_written, (int *)&tmplen)) -+ if(!EVP_EncryptFinal_ex(ctx, output + *bytes_written, (int *)&tmplen)) - { - *bytes_written = 0; - return; /* Error */ -@@ -210,7 +210,7 @@ lanplus_encrypt_aes_cbc_128(const uint8_ - { - /* Success */ - *bytes_written += tmplen; -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_cleanup(ctx); - } - } - } -@@ -239,10 +239,10 @@ lanplus_decrypt_aes_cbc_128(const uint8_ - uint8_t * output, - uint32_t * bytes_written) - { -- EVP_CIPHER_CTX ctx; -- EVP_CIPHER_CTX_init(&ctx); -- EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key, iv); -- EVP_CIPHER_CTX_set_padding(&ctx, 0); -+ EVP_CIPHER_CTX* ctx; -+ EVP_CIPHER_CTX_init(ctx); -+ EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv); -+ EVP_CIPHER_CTX_set_padding(ctx, 0); - - - if (verbose >= 5) -@@ -266,7 +266,7 @@ lanplus_decrypt_aes_cbc_128(const uint8_ - assert((input_length % IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE) == 0); - - -- if (!EVP_DecryptUpdate(&ctx, output, (int *)bytes_written, input, input_length)) -+ if (!EVP_DecryptUpdate(ctx, output, (int *)bytes_written, input, input_length)) - { - /* Error */ - lprintf(LOG_DEBUG, "ERROR: decrypt update failed"); -@@ -277,7 +277,7 @@ lanplus_decrypt_aes_cbc_128(const uint8_ - { - uint32_t tmplen; - -- if (!EVP_DecryptFinal_ex(&ctx, output + *bytes_written, (int *)&tmplen)) -+ if (!EVP_DecryptFinal_ex(ctx, output + *bytes_written, (int *)&tmplen)) - { - char buffer[1000]; - ERR_error_string(ERR_get_error(), buffer); -@@ -290,7 +290,7 @@ lanplus_decrypt_aes_cbc_128(const uint8_ - { - /* Success */ - *bytes_written += tmplen; -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_cleanup(ctx); - } - } - diff --git a/admin/ipmitool/patches/0002-ID-461-Make-compiler-happier-about-changes-related-t.patch b/admin/ipmitool/patches/0002-ID-461-Make-compiler-happier-about-changes-related-t.patch deleted file mode 100644 index 9690d879b6..0000000000 --- a/admin/ipmitool/patches/0002-ID-461-Make-compiler-happier-about-changes-related-t.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 77fe5635037ebaf411cae46cf5045ca819b5c145 Mon Sep 17 00:00:00 2001 -From: Zdenek Styblik -Date: Sun, 15 Jan 2017 15:11:25 +0100 -Subject: [PATCH 2/4] ID:461 - Make compiler happier about changes related to - OpenSSL 1.1 - -Complaint was that ctx isn't initialized. ---- - src/plugins/lanplus/lanplus_crypt_impl.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/src/plugins/lanplus/lanplus_crypt_impl.c -+++ b/src/plugins/lanplus/lanplus_crypt_impl.c -@@ -164,7 +164,7 @@ lanplus_encrypt_aes_cbc_128(const uint8_ - uint8_t * output, - uint32_t * bytes_written) - { -- EVP_CIPHER_CTX* ctx; -+ EVP_CIPHER_CTX *ctx = NULL; - EVP_CIPHER_CTX_init(ctx); - EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv); - EVP_CIPHER_CTX_set_padding(ctx, 0); -@@ -239,7 +239,7 @@ lanplus_decrypt_aes_cbc_128(const uint8_ - uint8_t * output, - uint32_t * bytes_written) - { -- EVP_CIPHER_CTX* ctx; -+ EVP_CIPHER_CTX *ctx = NULL; - EVP_CIPHER_CTX_init(ctx); - EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv); - EVP_CIPHER_CTX_set_padding(ctx, 0); diff --git a/admin/ipmitool/patches/0003-ID-480-ipmitool-coredumps-in-EVP_CIPHER_CTX_init.patch b/admin/ipmitool/patches/0003-ID-480-ipmitool-coredumps-in-EVP_CIPHER_CTX_init.patch deleted file mode 100644 index db388e4efa..0000000000 --- a/admin/ipmitool/patches/0003-ID-480-ipmitool-coredumps-in-EVP_CIPHER_CTX_init.patch +++ /dev/null @@ -1,48 +0,0 @@ -From f004b4b7197fc83e7d47ec8cbcaefffa9a922717 Mon Sep 17 00:00:00 2001 -From: Zdenek Styblik -Date: Sun, 12 Mar 2017 14:00:35 +0100 -Subject: [PATCH 3/4] ID:480 - ipmitool coredumps in EVP_CIPHER_CTX_init - -IPMI tool coredumps due to changes introduced in ID:461. This shouldn't be -surprise as a NULL pointer is passed to init. Commit addresses this issue by -calling EVP_CIPHER_CTX_new() instead of EVP_CIPHER_CTX_init(), which is -deprecated, and by checking return value of call to former function. ---- - src/plugins/lanplus/lanplus_crypt_impl.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - ---- a/src/plugins/lanplus/lanplus_crypt_impl.c -+++ b/src/plugins/lanplus/lanplus_crypt_impl.c -@@ -165,10 +165,13 @@ lanplus_encrypt_aes_cbc_128(const uint8_ - uint32_t * bytes_written) - { - EVP_CIPHER_CTX *ctx = NULL; -- EVP_CIPHER_CTX_init(ctx); -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) { -+ *bytes_written = 0; -+ return; -+ } - EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv); - EVP_CIPHER_CTX_set_padding(ctx, 0); -- - - *bytes_written = 0; - -@@ -240,11 +243,14 @@ lanplus_decrypt_aes_cbc_128(const uint8_ - uint32_t * bytes_written) - { - EVP_CIPHER_CTX *ctx = NULL; -- EVP_CIPHER_CTX_init(ctx); -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) { -+ *bytes_written = 0; -+ return; -+ } - EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv); - EVP_CIPHER_CTX_set_padding(ctx, 0); - -- - if (verbose >= 5) - { - printbuf(iv, 16, "decrypting with this IV"); diff --git a/admin/ipmitool/patches/0004-ID-480-Call-EVP_CIPHER_CTX_free-instead-of-EVP_CIPHE.patch b/admin/ipmitool/patches/0004-ID-480-Call-EVP_CIPHER_CTX_free-instead-of-EVP_CIPHE.patch deleted file mode 100644 index c081cc53a2..0000000000 --- a/admin/ipmitool/patches/0004-ID-480-Call-EVP_CIPHER_CTX_free-instead-of-EVP_CIPHE.patch +++ /dev/null @@ -1,139 +0,0 @@ -From 1664902525a1c3771b4d8b3ccab7ea1ba6b2bdd1 Mon Sep 17 00:00:00 2001 -From: Holger Liebig -Date: Tue, 4 Apr 2017 20:43:05 +0200 -Subject: [PATCH 4/4] ID:480 - Call EVP_CIPHER_CTX_free() instead of - EVP_CIPHER_CTX_cleanup() - -Call EVP_CIPHER_CTX_free() instead of EVP_CIPHER_CTX_cleanup() to fix memory -leak. ---- - src/plugins/lanplus/lanplus_crypt_impl.c | 44 +++++++++++++++++--------------- - 1 file changed, 23 insertions(+), 21 deletions(-) - ---- a/src/plugins/lanplus/lanplus_crypt_impl.c -+++ b/src/plugins/lanplus/lanplus_crypt_impl.c -@@ -165,13 +165,6 @@ lanplus_encrypt_aes_cbc_128(const uint8_ - uint32_t * bytes_written) - { - EVP_CIPHER_CTX *ctx = NULL; -- ctx = EVP_CIPHER_CTX_new(); -- if (ctx == NULL) { -- *bytes_written = 0; -- return; -- } -- EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv); -- EVP_CIPHER_CTX_set_padding(ctx, 0); - - *bytes_written = 0; - -@@ -185,6 +178,14 @@ lanplus_encrypt_aes_cbc_128(const uint8_ - printbuf(input, input_length, "encrypting this data"); - } - -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) { -+ lprintf(LOG_DEBUG, "ERROR: EVP_CIPHER_CTX_new() failed"); -+ return; -+ } -+ EVP_CIPHER_CTX_init(ctx); -+ EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv); -+ EVP_CIPHER_CTX_set_padding(ctx, 0); - - /* - * The default implementation adds a whole block of padding if the input -@@ -198,7 +199,6 @@ lanplus_encrypt_aes_cbc_128(const uint8_ - { - /* Error */ - *bytes_written = 0; -- return; - } - else - { -@@ -206,16 +206,17 @@ lanplus_encrypt_aes_cbc_128(const uint8_ - - if(!EVP_EncryptFinal_ex(ctx, output + *bytes_written, (int *)&tmplen)) - { -+ /* Error */ - *bytes_written = 0; -- return; /* Error */ - } - else - { - /* Success */ - *bytes_written += tmplen; -- EVP_CIPHER_CTX_cleanup(ctx); - } - } -+ /* performs cleanup and free */ -+ EVP_CIPHER_CTX_free(ctx); - } - - -@@ -243,13 +244,6 @@ lanplus_decrypt_aes_cbc_128(const uint8_ - uint32_t * bytes_written) - { - EVP_CIPHER_CTX *ctx = NULL; -- ctx = EVP_CIPHER_CTX_new(); -- if (ctx == NULL) { -- *bytes_written = 0; -- return; -- } -- EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv); -- EVP_CIPHER_CTX_set_padding(ctx, 0); - - if (verbose >= 5) - { -@@ -258,12 +252,20 @@ lanplus_decrypt_aes_cbc_128(const uint8_ - printbuf(input, input_length, "decrypting this data"); - } - -- - *bytes_written = 0; - - if (input_length == 0) - return; - -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) { -+ lprintf(LOG_DEBUG, "ERROR: EVP_CIPHER_CTX_new() failed"); -+ return; -+ } -+ EVP_CIPHER_CTX_init(ctx); -+ EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv); -+ EVP_CIPHER_CTX_set_padding(ctx, 0); -+ - /* - * The default implementation adds a whole block of padding if the input - * data is perfectly aligned. We would like to keep that from happening. -@@ -277,7 +279,6 @@ lanplus_decrypt_aes_cbc_128(const uint8_ - /* Error */ - lprintf(LOG_DEBUG, "ERROR: decrypt update failed"); - *bytes_written = 0; -- return; - } - else - { -@@ -285,20 +286,21 @@ lanplus_decrypt_aes_cbc_128(const uint8_ - - if (!EVP_DecryptFinal_ex(ctx, output + *bytes_written, (int *)&tmplen)) - { -+ /* Error */ - char buffer[1000]; - ERR_error_string(ERR_get_error(), buffer); - lprintf(LOG_DEBUG, "the ERR error %s", buffer); - lprintf(LOG_DEBUG, "ERROR: decrypt final failed"); - *bytes_written = 0; -- return; /* Error */ - } - else - { - /* Success */ - *bytes_written += tmplen; -- EVP_CIPHER_CTX_cleanup(ctx); - } - } -+ /* performs cleanup and free */ -+ EVP_CIPHER_CTX_free(ctx); - - if (verbose >= 5) - { diff --git a/admin/ipmitool/patches/0005-ipmitool-Fix-compile-with-deprecated-APIs-disabled.patch b/admin/ipmitool/patches/0005-ipmitool-Fix-compile-with-deprecated-APIs-disabled.patch deleted file mode 100644 index 308079189e..0000000000 --- a/admin/ipmitool/patches/0005-ipmitool-Fix-compile-with-deprecated-APIs-disabled.patch +++ /dev/null @@ -1,42 +0,0 @@ -From cf39da53236abf02d39c6a98a645488933f3e861 Mon Sep 17 00:00:00 2001 -From: Rosen Penev -Date: Tue, 21 Aug 2018 19:29:07 -0700 -Subject: [PATCH] ipmitool: Fix compile with deprecated APIs disabled. - -From the man page: - -EVP_CIPHER_CTX was made opaque in OpenSSL 1.1.0. As a result, -EVP_CIPHER_CTX_reset() appeared and EVP_CIPHER_CTX_cleanup() disappeared. -EVP_CIPHER_CTX_init() remains as an alias for EVP_CIPHER_CTX_reset(). - -Signed-off-by: Rosen Penev ---- - src/plugins/lanplus/lanplus_crypt_impl.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - ---- a/src/plugins/lanplus/lanplus_crypt_impl.c -+++ b/src/plugins/lanplus/lanplus_crypt_impl.c -@@ -183,7 +183,11 @@ lanplus_encrypt_aes_cbc_128(const uint8_ - lprintf(LOG_DEBUG, "ERROR: EVP_CIPHER_CTX_new() failed"); - return; - } -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - EVP_CIPHER_CTX_init(ctx); -+#else -+ EVP_CIPHER_CTX_reset(ctx); -+#endif - EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv); - EVP_CIPHER_CTX_set_padding(ctx, 0); - -@@ -262,7 +266,11 @@ lanplus_decrypt_aes_cbc_128(const uint8_ - lprintf(LOG_DEBUG, "ERROR: EVP_CIPHER_CTX_new() failed"); - return; - } -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - EVP_CIPHER_CTX_init(ctx); -+#else -+ EVP_CIPHER_CTX_reset(ctx); -+#endif - EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv); - EVP_CIPHER_CTX_set_padding(ctx, 0); - diff --git a/admin/ipmitool/patches/0006-CVE-2020-5208-fru-Fix-buffer-overflow-vulnerabilities.patch b/admin/ipmitool/patches/0006-CVE-2020-5208-fru-Fix-buffer-overflow-vulnerabilities.patch deleted file mode 100644 index 17341c98f3..0000000000 --- a/admin/ipmitool/patches/0006-CVE-2020-5208-fru-Fix-buffer-overflow-vulnerabilities.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 960dbb956d9f9cb05b719087faed53c88dc80956 Mon Sep 17 00:00:00 2001 -From: Chrostoper Ertl -Date: Thu, 28 Nov 2019 16:33:59 +0000 -Subject: [PATCH 06/11] fru: Fix buffer overflow vulnerabilities - -Partial fix for CVE-2020-5208, see -https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp - -The `read_fru_area_section` function only performs size validation of -requested read size, and falsely assumes that the IPMI message will not -respond with more than the requested amount of data; it uses the -unvalidated response size to copy into `frubuf`. If the response is -larger than the request, this can result in overflowing the buffer. - -The same issue affects the `read_fru_area` function. ---- - lib/ipmi_fru.c | 33 +++++++++++++++++++++++++++++++-- - 1 file changed, 31 insertions(+), 2 deletions(-) - ---- a/lib/ipmi_fru.c -+++ b/lib/ipmi_fru.c -@@ -615,7 +615,10 @@ int - read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, - uint32_t offset, uint32_t length, uint8_t *frubuf) - { -- uint32_t off = offset, tmp, finish; -+ uint32_t off = offset; -+ uint32_t tmp; -+ uint32_t finish; -+ uint32_t size_left_in_buffer; - struct ipmi_rs * rsp; - struct ipmi_rq req; - uint8_t msg_data[4]; -@@ -628,10 +631,12 @@ read_fru_area(struct ipmi_intf * intf, s - - finish = offset + length; - if (finish > fru->size) { -+ memset(frubuf + fru->size, 0, length - fru->size); - finish = fru->size; - lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " - "Adjusting to %d", - offset + length, finish - offset); -+ length = finish - offset; - } - - memset(&req, 0, sizeof(req)); -@@ -667,6 +672,7 @@ read_fru_area(struct ipmi_intf * intf, s - } - } - -+ size_left_in_buffer = length; - do { - tmp = fru->access ? off >> 1 : off; - msg_data[0] = id; -@@ -707,9 +713,18 @@ read_fru_area(struct ipmi_intf * intf, s - } - - tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; -+ if(rsp->data_len < 1 -+ || tmp > rsp->data_len - 1 -+ || tmp > size_left_in_buffer) -+ { -+ printf(" Not enough buffer size"); -+ return -1; -+ } -+ - memcpy(frubuf, rsp->data + 1, tmp); - off += tmp; - frubuf += tmp; -+ size_left_in_buffer -= tmp; - /* sometimes the size returned in the Info command - * is too large. return 0 so higher level function - * still attempts to parse what was returned */ -@@ -742,7 +757,9 @@ read_fru_area_section(struct ipmi_intf * - uint32_t offset, uint32_t length, uint8_t *frubuf) - { - static uint32_t fru_data_rqst_size = 20; -- uint32_t off = offset, tmp, finish; -+ uint32_t off = offset; -+ uint32_t tmp, finish; -+ uint32_t size_left_in_buffer; - struct ipmi_rs * rsp; - struct ipmi_rq req; - uint8_t msg_data[4]; -@@ -755,10 +772,12 @@ read_fru_area_section(struct ipmi_intf * - - finish = offset + length; - if (finish > fru->size) { -+ memset(frubuf + fru->size, 0, length - fru->size); - finish = fru->size; - lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " - "Adjusting to %d", - offset + length, finish - offset); -+ length = finish - offset; - } - - memset(&req, 0, sizeof(req)); -@@ -773,6 +792,8 @@ read_fru_area_section(struct ipmi_intf * - if (fru->access && fru_data_rqst_size > 16) - #endif - fru_data_rqst_size = 16; -+ -+ size_left_in_buffer = length; - do { - tmp = fru->access ? off >> 1 : off; - msg_data[0] = id; -@@ -804,8 +825,16 @@ read_fru_area_section(struct ipmi_intf * - } - - tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; -+ if(rsp->data_len < 1 -+ || tmp > rsp->data_len - 1 -+ || tmp > size_left_in_buffer) -+ { -+ printf(" Not enough buffer size"); -+ return -1; -+ } - memcpy((frubuf + off)-offset, rsp->data + 1, tmp); - off += tmp; -+ size_left_in_buffer -= tmp; - - /* sometimes the size returned in the Info command - * is too large. return 0 so higher level function diff --git a/admin/ipmitool/patches/0007-CVE-2020-5208-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch b/admin/ipmitool/patches/0007-CVE-2020-5208-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch deleted file mode 100644 index 2656dfccc1..0000000000 --- a/admin/ipmitool/patches/0007-CVE-2020-5208-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 910e5782b7d9f222d4e34d3505d0d636ff757103 Mon Sep 17 00:00:00 2001 -From: Chrostoper Ertl -Date: Thu, 28 Nov 2019 16:44:18 +0000 -Subject: [PATCH 07/11] fru: Fix buffer overflow in ipmi_spd_print_fru - -Partial fix for CVE-2020-5208, see -https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp - -The `ipmi_spd_print_fru` function has a similar issue as the one fixed -by the previous commit in `read_fru_area_section`. An initial request is -made to get the `fru.size`, which is used as the size for the allocation -of `spd_data`. Inside a loop, further requests are performed to get the -copy sizes which are not checked before being used as the size for a -copy into the buffer. ---- - lib/dimm_spd.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - ---- a/lib/dimm_spd.c -+++ b/lib/dimm_spd.c -@@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * in - struct ipmi_rq req; - struct fru_info fru; - uint8_t *spd_data, msg_data[4]; -- int len, offset; -+ uint32_t len, offset; - - msg_data[0] = id; - -@@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * in - } - - len = rsp->data[0]; -+ if(rsp->data_len < 1 -+ || len > rsp->data_len - 1 -+ || len > fru.size - offset) -+ { -+ printf(" Not enough buffer size"); -+ return -1; -+ } - memcpy(&spd_data[offset], rsp->data + 1, len); - offset += len; - } while (offset < fru.size); diff --git a/admin/ipmitool/patches/0008-CVE-2020-5208-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch b/admin/ipmitool/patches/0008-CVE-2020-5208-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch deleted file mode 100644 index 00ecd42723..0000000000 --- a/admin/ipmitool/patches/0008-CVE-2020-5208-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 4f7778ed232a92bde388f38917b94f458a82c78e Mon Sep 17 00:00:00 2001 -From: Chrostoper Ertl -Date: Thu, 28 Nov 2019 16:51:49 +0000 -Subject: [PATCH 08/11] session: Fix buffer overflow in ipmi_get_session_info - -Partial fix for CVE-2020-5208, see -https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp - -The `ipmi_get_session_info` function does not properly check the -response `data_len`, which is used as a copy size, allowing stack buffer -overflow. ---- - lib/ipmi_session.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - ---- a/lib/ipmi_session.c -+++ b/lib/ipmi_session.c -@@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf - } - else - { -- memcpy(&session_info, rsp->data, rsp->data_len); -- print_session_info(&session_info, rsp->data_len); -+ memcpy(&session_info, rsp->data, -+ __min(rsp->data_len, sizeof(session_info))); -+ print_session_info(&session_info, -+ __min(rsp->data_len, sizeof(session_info))); - } - break; - -@@ -341,8 +343,10 @@ ipmi_get_session_info(struct ipmi_intf - break; - } - -- memcpy(&session_info, rsp->data, rsp->data_len); -- print_session_info(&session_info, rsp->data_len); -+ memcpy(&session_info, rsp->data, -+ __min(rsp->data_len, sizeof(session_info))); -+ print_session_info(&session_info, -+ __min(rsp->data_len, sizeof(session_info))); - - } while (i <= session_info.session_slot_count); - break; diff --git a/admin/ipmitool/patches/0009-CVE-2020-5208-channel-Fix-buffer-overflow.patch b/admin/ipmitool/patches/0009-CVE-2020-5208-channel-Fix-buffer-overflow.patch deleted file mode 100644 index e4ea7734fa..0000000000 --- a/admin/ipmitool/patches/0009-CVE-2020-5208-channel-Fix-buffer-overflow.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 743dd4faa302f22950e4438cf684e1e398eb47eb Mon Sep 17 00:00:00 2001 -From: Chrostoper Ertl -Date: Thu, 28 Nov 2019 16:56:38 +0000 -Subject: [PATCH 09/11] channel: Fix buffer overflow -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Partial fix for CVE-2020-5208, see -https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp - -The `ipmi_get_channel_cipher_suites` function does not properly check -the final response’s `data_len`, which can lead to stack buffer overflow -on the final copy. ---- - lib/ipmi_channel.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/lib/ipmi_channel.c -+++ b/lib/ipmi_channel.c -@@ -413,7 +413,10 @@ ipmi_get_channel_cipher_suites(struct ip - lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); - return -1; - } -- if (rsp->ccode > 0) { -+ if (rsp->ccode -+ || rsp->data_len < 1 -+ || rsp->data_len > sizeof(uint8_t) + 0x10) -+ { - lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", - val2str(rsp->ccode, completion_code_vals)); - return -1; diff --git a/admin/ipmitool/patches/0010-CVE-2020-5208-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch b/admin/ipmitool/patches/0010-CVE-2020-5208-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch deleted file mode 100644 index cf33f9d9d0..0000000000 --- a/admin/ipmitool/patches/0010-CVE-2020-5208-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch +++ /dev/null @@ -1,83 +0,0 @@ -From e048e9c65a52f0879d482531e70735c1d314d43a Mon Sep 17 00:00:00 2001 -From: Chrostoper Ertl -Date: Thu, 28 Nov 2019 17:06:39 +0000 -Subject: [PATCH 10/11] lanp: Fix buffer overflows in get_lan_param_select -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Partial fix for CVE-2020-5208, see -https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp - -The `get_lan_param_select` function is missing a validation check on the -response’s `data_len`, which it then returns to caller functions, where -stack buffer overflow can occur. ---- - lib/ipmi_lanp.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - ---- a/lib/ipmi_lanp.c -+++ b/lib/ipmi_lanp.c -@@ -1809,7 +1809,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - /* set new ipaddr */ - memcpy(data+3, temp, 4); - printf("Setting LAN Alert %d IP Address to %d.%d.%d.%d\n", alert, -@@ -1824,7 +1824,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - /* set new macaddr */ - memcpy(data+7, temp, 6); - printf("Setting LAN Alert %d MAC Address to " -@@ -1838,7 +1838,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - - if (strncasecmp(argv[1], "def", 3) == 0 || - strncasecmp(argv[1], "default", 7) == 0) { -@@ -1864,7 +1864,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - - if (strncasecmp(argv[1], "on", 2) == 0 || - strncasecmp(argv[1], "yes", 3) == 0) { -@@ -1889,7 +1889,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - - if (strncasecmp(argv[1], "pet", 3) == 0) { - printf("Setting LAN Alert %d destination to PET Trap\n", alert); -@@ -1917,7 +1917,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - - if (str2uchar(argv[1], &data[2]) != 0) { - lprintf(LOG_ERR, "Invalid time: %s", argv[1]); -@@ -1933,7 +1933,7 @@ ipmi_lan_alert_set(struct ipmi_intf * in - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - - if (str2uchar(argv[1], &data[3]) != 0) { - lprintf(LOG_ERR, "Invalid retry: %s", argv[1]); diff --git a/admin/ipmitool/patches/0011-CVE-2020-5208-fru-sdr-Fix-id_string-buffer-overflows.patch b/admin/ipmitool/patches/0011-CVE-2020-5208-fru-sdr-Fix-id_string-buffer-overflows.patch deleted file mode 100644 index 2fd34d186e..0000000000 --- a/admin/ipmitool/patches/0011-CVE-2020-5208-fru-sdr-Fix-id_string-buffer-overflows.patch +++ /dev/null @@ -1,130 +0,0 @@ -From 98b47424cf548f58c4d295fa8235210406ea85ca Mon Sep 17 00:00:00 2001 -From: Chrostoper Ertl -Date: Thu, 28 Nov 2019 17:13:45 +0000 -Subject: [PATCH 11/11] fru, sdr: Fix id_string buffer overflows - -Final part of the fixes for CVE-2020-5208, see -https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp - -9 variants of stack buffer overflow when parsing `id_string` field of -SDR records returned from `CMD_GET_SDR` command. - -SDR record structs have an `id_code` field, and an `id_string` `char` -array. - -The length of `id_string` is calculated as `(id_code & 0x1f) + 1`, -which can be larger than expected 16 characters (if `id_code = 0xff`, -then length will be `(0xff & 0x1f) + 1 = 32`). - -In numerous places, this can cause stack buffer overflow when copying -into fixed buffer of size `17` bytes from this calculated length. ---- - lib/ipmi_fru.c | 2 +- - lib/ipmi_sdr.c | 40 ++++++++++++++++++++++++---------------- - 2 files changed, 25 insertions(+), 17 deletions(-) - ---- a/lib/ipmi_fru.c -+++ b/lib/ipmi_fru.c -@@ -3062,7 +3062,7 @@ ipmi_fru_print(struct ipmi_intf * intf, - return 0; - - memset(desc, 0, sizeof(desc)); -- memcpy(desc, fru->id_string, fru->id_code & 0x01f); -+ memcpy(desc, fru->id_string, __min(fru->id_code & 0x01f, sizeof(desc))); - desc[fru->id_code & 0x01f] = 0; - printf("FRU Device Description : %s (ID %d)\n", desc, fru->device_id); - ---- a/lib/ipmi_sdr.c -+++ b/lib/ipmi_sdr.c -@@ -2084,7 +2084,7 @@ ipmi_sdr_print_sensor_eventonly(struct i - return -1; - - memset(desc, 0, sizeof (desc)); -- snprintf(desc, (sensor->id_code & 0x1f) + 1, "%s", sensor->id_string); -+ snprintf(desc, sizeof(desc), "%.*s", (sensor->id_code & 0x1f) + 1, sensor->id_string); - - if (verbose) { - printf("Sensor ID : %s (0x%x)\n", -@@ -2135,7 +2135,7 @@ ipmi_sdr_print_sensor_mc_locator(struct - return -1; - - memset(desc, 0, sizeof (desc)); -- snprintf(desc, (mc->id_code & 0x1f) + 1, "%s", mc->id_string); -+ snprintf(desc, sizeof(desc), "%.*s", (mc->id_code & 0x1f) + 1, mc->id_string); - - if (verbose == 0) { - if (csv_output) -@@ -2228,7 +2228,7 @@ ipmi_sdr_print_sensor_generic_locator(st - char desc[17]; - - memset(desc, 0, sizeof (desc)); -- snprintf(desc, (dev->id_code & 0x1f) + 1, "%s", dev->id_string); -+ snprintf(desc, sizeof(desc), "%.*s", (dev->id_code & 0x1f) + 1, dev->id_string); - - if (!verbose) { - if (csv_output) -@@ -2285,7 +2285,7 @@ ipmi_sdr_print_sensor_fru_locator(struct - char desc[17]; - - memset(desc, 0, sizeof (desc)); -- snprintf(desc, (fru->id_code & 0x1f) + 1, "%s", fru->id_string); -+ snprintf(desc, sizeof(desc), "%.*s", (fru->id_code & 0x1f) + 1, fru->id_string); - - if (!verbose) { - if (csv_output) -@@ -2489,35 +2489,43 @@ ipmi_sdr_print_name_from_rawentry(struct - - int rc =0; - char desc[17]; -+ const char *id_string; -+ uint8_t id_code; - memset(desc, ' ', sizeof (desc)); - - switch ( type) { - case SDR_RECORD_TYPE_FULL_SENSOR: - record.full = (struct sdr_record_full_sensor *) raw; -- snprintf(desc, (record.full->id_code & 0x1f) +1, "%s", -- (const char *)record.full->id_string); -+ id_code = record.full->id_code; -+ id_string = record.full->id_string; - break; -+ - case SDR_RECORD_TYPE_COMPACT_SENSOR: - record.compact = (struct sdr_record_compact_sensor *) raw ; -- snprintf(desc, (record.compact->id_code & 0x1f) +1, "%s", -- (const char *)record.compact->id_string); -+ id_code = record.compact->id_code; -+ id_string = record.compact->id_string; - break; -+ - case SDR_RECORD_TYPE_EVENTONLY_SENSOR: - record.eventonly = (struct sdr_record_eventonly_sensor *) raw ; -- snprintf(desc, (record.eventonly->id_code & 0x1f) +1, "%s", -- (const char *)record.eventonly->id_string); -- break; -+ id_code = record.eventonly->id_code; -+ id_string = record.eventonly->id_string; -+ break; -+ - case SDR_RECORD_TYPE_MC_DEVICE_LOCATOR: - record.mcloc = (struct sdr_record_mc_locator *) raw ; -- snprintf(desc, (record.mcloc->id_code & 0x1f) +1, "%s", -- (const char *)record.mcloc->id_string); -+ id_code = record.mcloc->id_code; -+ id_string = record.mcloc->id_string; - break; -+ - default: - rc = -1; -- break; -- } -+ } -+ if (!rc) { -+ snprintf(desc, sizeof(desc), "%.*s", (id_code & 0x1f) + 1, id_string); -+ } - -- lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); -+ lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); - return rc; - } - diff --git a/admin/ipmitool/patches/0012-gcc10.patch b/admin/ipmitool/patches/0012-gcc10.patch deleted file mode 100644 index 1fba0b79b9..0000000000 --- a/admin/ipmitool/patches/0012-gcc10.patch +++ /dev/null @@ -1,33 +0,0 @@ -From c3939dac2c060651361fc71516806f9ab8c38901 Mon Sep 17 00:00:00 2001 -From: Vaclav Dolezal -Date: Thu, 23 Jan 2020 11:26:32 +0100 -Subject: [PATCH] hpmfwupg: move variable definition to .c file - -Signed-off-by: Vaclav Dolezal ---- - include/ipmitool/ipmi_hpmfwupg.h | 2 +- - lib/ipmi_hpmfwupg.c | 2 ++ - 2 files changed, 3 insertions(+), 1 deletion(-) - ---- a/include/ipmitool/ipmi_hpmfwupg.h -+++ b/include/ipmitool/ipmi_hpmfwupg.h -@@ -800,7 +800,7 @@ typedef struct _VERSIONINFO { - char descString[HPMFWUPG_DESC_STRING_LENGTH + 1]; - }VERSIONINFO, *PVERSIONINFO; - --VERSIONINFO gVersionInfo[HPMFWUPG_COMPONENT_ID_MAX]; -+extern VERSIONINFO gVersionInfo[HPMFWUPG_COMPONENT_ID_MAX]; - - #define TARGET_VER (0x01) - #define ROLLBACK_VER (0x02) ---- a/lib/ipmi_hpmfwupg.c -+++ b/lib/ipmi_hpmfwupg.c -@@ -58,6 +58,8 @@ ipmi_intf_get_max_request_data_size(stru - - extern int verbose; - -+VERSIONINFO gVersionInfo[HPMFWUPG_COMPONENT_ID_MAX]; -+ - int HpmfwupgUpgrade(struct ipmi_intf *intf, char *imageFilename, - int activate, int, int); - int HpmfwupgValidateImageIntegrity(struct HpmfwupgUpgradeCtx *pFwupgCtx);