From c2215b8a46940e4f096b5517d6bdc12251e6d23d Mon Sep 17 00:00:00 2001 From: yangcheng1203 Date: Fri, 4 Jul 2025 16:12:56 +0800 Subject: [PATCH] add patch to fix CVE-2025-46836 --- 0002-Fix-CVE-2025-46836.patch | 87 +++++++++++++++++++++++++++++++++++ net-tools.spec | 9 +++- 2 files changed, 94 insertions(+), 2 deletions(-) create mode 100644 0002-Fix-CVE-2025-46836.patch diff --git a/0002-Fix-CVE-2025-46836.patch b/0002-Fix-CVE-2025-46836.patch new file mode 100644 index 0000000..d9eb798 --- /dev/null +++ b/0002-Fix-CVE-2025-46836.patch @@ -0,0 +1,87 @@ +From 7a8f42fb20013a1493d8cae1c43436f85e656f2d Mon Sep 17 00:00:00 2001 +From: Zephkeks +Date: Tue, 13 May 2025 11:04:17 +0200 +Subject: [PATCH] CVE-2025-46836: interface.c: Stack-based Buffer Overflow in + get_name() + +Coordinated as GHSA-pfwf-h6m3-63wf +--- + lib/interface.c | 63 ++++++++++++++++++++++++++++++------------------- + 1 file changed, 39 insertions(+), 24 deletions(-) + +diff --git a/lib/interface.c b/lib/interface.c +index 71d4163..a054f12 100644 +--- a/lib/interface.c ++++ b/lib/interface.c +@@ -211,32 +211,47 @@ static int if_readconf(void) + } + + static const char *get_name(char *name, const char *p) ++/* Safe version — guarantees at most IFNAMSIZ‑1 bytes are copied ++ and the destination buffer is always NUL‑terminated. */ + { +- while (isspace(*p)) +- p++; +- while (*p) { +- if (isspace(*p)) +- break; +- if (*p == ':') { /* could be an alias */ +- const char *dot = p++; +- while (*p && isdigit(*p)) p++; +- if (*p == ':') { +- /* Yes it is, backup and copy it. */ +- p = dot; +- *name++ = *p++; +- while (*p && isdigit(*p)) { +- *name++ = *p++; +- } +- } else { +- /* No, it isn't */ +- p = dot; +- } +- p++; +- break; +- } +- *name++ = *p++; ++ char *dst = name; /* current write ptr */ ++ const char *end = name + IFNAMSIZ - 1; /* last byte we may write */ ++ ++ /* Skip leading white‑space. */ ++ while (isspace((unsigned char)*p)) ++ ++p; ++ ++ /* Copy until white‑space, end of string, or buffer full. */ ++ while (*p && !isspace((unsigned char)*p) && dst < end) { ++ if (*p == ':') { /* possible alias veth0:123: */ ++ const char *dot = p; /* remember the colon */ ++ ++p; ++ while (*p && isdigit((unsigned char)*p)) ++ ++p; ++ ++ if (*p == ':') { /* confirmed alias */ ++ p = dot; /* rewind and copy it all */ ++ ++ /* copy the colon */ ++ if (dst < end) ++ *dst++ = *p++; ++ ++ /* copy the digits */ ++ while (*p && isdigit((unsigned char)*p) && dst < end) ++ *dst++ = *p++; ++ ++ if (*p == ':') /* consume trailing colon */ ++ ++p; ++ } else { /* if so treat as normal */ ++ p = dot; ++ } ++ break; /* interface name ends here */ ++ } ++ ++ *dst++ = *p++; /* ordinary character copy */ + } +- *name++ = '\0'; ++ ++ *dst = '\0'; /* always NUL‑terminate */ + return p; + } + diff --git a/net-tools.spec b/net-tools.spec index 8b59703..2d53aa8 100644 --- a/net-tools.spec +++ b/net-tools.spec @@ -1,4 +1,4 @@ -%define anolis_release 3 +%define anolis_release 4 Summary: Basic networking tools Name: net-tools @@ -12,7 +12,9 @@ Source1: arp-ethers.service # sync from suse Patch0: net-tools-configure.patch -Patch1: 0001-Add-ether-wake-binary.patch +Patch1: 0001-Add-ether-wake-binary.patch +# https://github.com/ecki/net-tools/commit/7a8f42fb20013a1493d8cae1c43436f85e656f2d +Patch2: 0002-Fix-CVE-2025-46836.patch BuildRequires: make BuildRequires: bluez-libs-devel @@ -106,6 +108,9 @@ install -D -p -m 644 %{SOURCE1} %{buildroot}%{_unitdir}/arp-ethers.service %doc THANKS README TODO %changelog +* Fri Jul 04 2025 Yang cheng - 2.10-4 +- add patch to fix CVE-2025-46836 + * Mon Dec 25 2023 Xiaoping Liu - 2.10-3 - fix the source error -- Gitee