From 0eaa344556d29b9d142393b21f78e7acf79e6c4b Mon Sep 17 00:00:00 2001 From: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> Date: Fri, 4 Jul 2025 13:47:08 +0800 Subject: [PATCH] [CVE] CVE-2025-46836 to #21060 add patch to fix CVE-2025-46836 Project: TC2024080204 Signed-off-by: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> --- 2-bugfix-for-CVE-2025-46836.patch | 87 +++++++++++++++++++++++++++++++ net-tools.spec | 6 ++- 2 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 2-bugfix-for-CVE-2025-46836.patch diff --git a/2-bugfix-for-CVE-2025-46836.patch b/2-bugfix-for-CVE-2025-46836.patch new file mode 100644 index 0000000..d9eb798 --- /dev/null +++ b/2-bugfix-for-CVE-2025-46836.patch @@ -0,0 +1,87 @@ +From 7a8f42fb20013a1493d8cae1c43436f85e656f2d Mon Sep 17 00:00:00 2001 +From: Zephkeks +Date: Tue, 13 May 2025 11:04:17 +0200 +Subject: [PATCH] CVE-2025-46836: interface.c: Stack-based Buffer Overflow in + get_name() + +Coordinated as GHSA-pfwf-h6m3-63wf +--- + lib/interface.c | 63 ++++++++++++++++++++++++++++++------------------- + 1 file changed, 39 insertions(+), 24 deletions(-) + +diff --git a/lib/interface.c b/lib/interface.c +index 71d4163..a054f12 100644 +--- a/lib/interface.c ++++ b/lib/interface.c +@@ -211,32 +211,47 @@ static int if_readconf(void) + } + + static const char *get_name(char *name, const char *p) ++/* Safe version — guarantees at most IFNAMSIZ‑1 bytes are copied ++ and the destination buffer is always NUL‑terminated. */ + { +- while (isspace(*p)) +- p++; +- while (*p) { +- if (isspace(*p)) +- break; +- if (*p == ':') { /* could be an alias */ +- const char *dot = p++; +- while (*p && isdigit(*p)) p++; +- if (*p == ':') { +- /* Yes it is, backup and copy it. */ +- p = dot; +- *name++ = *p++; +- while (*p && isdigit(*p)) { +- *name++ = *p++; +- } +- } else { +- /* No, it isn't */ +- p = dot; +- } +- p++; +- break; +- } +- *name++ = *p++; ++ char *dst = name; /* current write ptr */ ++ const char *end = name + IFNAMSIZ - 1; /* last byte we may write */ ++ ++ /* Skip leading white‑space. */ ++ while (isspace((unsigned char)*p)) ++ ++p; ++ ++ /* Copy until white‑space, end of string, or buffer full. */ ++ while (*p && !isspace((unsigned char)*p) && dst < end) { ++ if (*p == ':') { /* possible alias veth0:123: */ ++ const char *dot = p; /* remember the colon */ ++ ++p; ++ while (*p && isdigit((unsigned char)*p)) ++ ++p; ++ ++ if (*p == ':') { /* confirmed alias */ ++ p = dot; /* rewind and copy it all */ ++ ++ /* copy the colon */ ++ if (dst < end) ++ *dst++ = *p++; ++ ++ /* copy the digits */ ++ while (*p && isdigit((unsigned char)*p) && dst < end) ++ *dst++ = *p++; ++ ++ if (*p == ':') /* consume trailing colon */ ++ ++p; ++ } else { /* if so treat as normal */ ++ p = dot; ++ } ++ break; /* interface name ends here */ ++ } ++ ++ *dst++ = *p++; /* ordinary character copy */ + } +- *name++ = '\0'; ++ ++ *dst = '\0'; /* always NUL‑terminate */ + return p; + } + diff --git a/net-tools.spec b/net-tools.spec index 8b59703..b2e6b10 100644 --- a/net-tools.spec +++ b/net-tools.spec @@ -1,4 +1,4 @@ -%define anolis_release 3 +%define anolis_release 4 Summary: Basic networking tools Name: net-tools @@ -13,6 +13,7 @@ Source1: arp-ethers.service # sync from suse Patch0: net-tools-configure.patch Patch1: 0001-Add-ether-wake-binary.patch +Patch2: 2-bugfix-for-CVE-2025-46836.patch BuildRequires: make BuildRequires: bluez-libs-devel @@ -106,6 +107,9 @@ install -D -p -m 644 %{SOURCE1} %{buildroot}%{_unitdir}/arp-ethers.service %doc THANKS README TODO %changelog +* Fri Jul 04 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 2.10-4 +- Fix CVE-2025-46836 + * Mon Dec 25 2023 Xiaoping Liu - 2.10-3 - fix the source error -- Gitee