diff --git a/OpenIPMI.spec b/OpenIPMI.spec index 06e54e74144da163287a5c77d02365654e589830..57d9c2c5ef3c86e4b96eca221b7162f7d78de10a 100644 --- a/OpenIPMI.spec +++ b/OpenIPMI.spec @@ -1,6 +1,6 @@ Name: OpenIPMI Version: 2.0.32 -Release: 3 +Release: 4 Summary: IPMI (Intelligent Platform Management Interface) library and tools License: LGPLv2+ and GPLv2+ or BSD URL: https://sourceforge.net/projects/openipmi/ @@ -11,6 +11,9 @@ Source3: openipmi-helper Patch0: 0001-man.patch Patch1: backport-fix-coredump-when-use-ipmi_ui.patch +Patch2: backport-0001-CVE-2024-42934.patch +Patch3: backport-0002-CVE-2024-42934.patch +Patch4: backport-0003-CVE-2024-42934.patch BuildRequires: gdbm-devel swig glib2-devel net-snmp-devel ncurses-devel BuildRequires: openssl-devel python3-devel perl-devel perl-generators @@ -148,6 +151,12 @@ make check %exclude %{_mandir}/man1/openipmigui.1 %changelog +* Fri Oct 11 2024 yanglu - 2.0.32-4 +- Type:CVE +- CVE:CVE-2024-42934 +- SUG:NA +- DESC:fix CVE-2024-42934 + * Tue Nov 21 2023 yanglu - 2.0.32-3 - Type:enhancement - CVE:NA diff --git a/backport-0001-CVE-2024-42934.patch b/backport-0001-CVE-2024-42934.patch new file mode 100644 index 0000000000000000000000000000000000000000..075f0f173f5bd23b19731d1df85b039f81237c93 --- /dev/null +++ b/backport-0001-CVE-2024-42934.patch @@ -0,0 +1,46 @@ +From b52e8e2538b2b48ef6b63bff12b5cc9e2d52eff1 Mon Sep 17 00:00:00 2001 +From: Corey Minyard +Date: Mon, 29 Apr 2024 12:46:23 -0500 +Subject: [PATCH] lanserv: Check some bounds on incoming messages + +Signed-off-by: Corey Minyard + +Reference:https://sourceforge.net/p/openipmi/code/ci/b52e8e2538b2b48ef6b63bff12b5cc9e2d52eff1/ +Conflict:NA + +--- + lanserv/lanserv_ipmi.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/lanserv/lanserv_ipmi.c b/lanserv/lanserv_ipmi.c +index ccd6001..0ee6451 100644 +--- a/lanserv/lanserv_ipmi.c ++++ b/lanserv/lanserv_ipmi.c +@@ -882,6 +882,12 @@ handle_temp_session(lanserv_data_t *lan, msg_t *msg) + } + + auth = msg->data[0] & 0xf; ++ if (auth >= MAX_IPMI_AUTHS) { ++ lan->sysinfo->log(lan->sysinfo, NEW_SESSION_FAILED, msg, ++ "Activate session failed: Invalid auth: 0x%x", auth); ++ return; ++ } ++ + user = &(lan->users[user_idx]); + if (! (user->valid)) { + lan->sysinfo->log(lan->sysinfo, NEW_SESSION_FAILED, msg, +@@ -3034,6 +3040,11 @@ ipmi_handle_lan_msg(lanserv_data_t *lan, + } + + msg.authtype = data[4]; ++ if (msg.authtype >= MAX_IPMI_AUTHS) { ++ lan->sysinfo->log(lan->sysinfo, LAN_ERR, &msg, ++ "LAN msg failure: Invalid authtype"); ++ return; ++ } + msg.data = data+5; + msg.len = len - 5; + msg.channel = lan->channel.channel_num; +-- +2.43.0 + diff --git a/backport-0002-CVE-2024-42934.patch b/backport-0002-CVE-2024-42934.patch new file mode 100644 index 0000000000000000000000000000000000000000..3a43e58a2a8f6f507071262c0b94f30d7bdf4a31 --- /dev/null +++ b/backport-0002-CVE-2024-42934.patch @@ -0,0 +1,71 @@ +From 663e3cd3b6d1d9fc82267c7d7474320cb67e03a4 Mon Sep 17 00:00:00 2001 +From: Corey Minyard +Date: Sun, 2 Jun 2024 14:11:16 -0500 +Subject: [PATCH] lanserv: Fix an issue logging an error on a message + +A message structure was passed to the log, but it was not sufficiently +initialized and the logging program crashed. Rework the initialization +to make the message data ready and legal for the logging calls. + +Found-by: Fabio Massimo Di Nitto +Signed-off-by: Corey Minyard + +Reference:https://sourceforge.net/p/openipmi/code/ci/663e3cd3b6d1d9fc82267c7d7474320cb67e03a4/ +Conflict:NA + +--- + lanserv/lanserv_ipmi.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/lanserv/lanserv_ipmi.c b/lanserv/lanserv_ipmi.c +index 0ee6451..1ef5710 100644 +--- a/lanserv/lanserv_ipmi.c ++++ b/lanserv/lanserv_ipmi.c +@@ -3022,17 +3022,33 @@ ipmi_handle_lan_msg(lanserv_data_t *lan, + { + msg_t msg; + ++ memset(&msg, 0, sizeof(msg)); ++ + msg.src_addr = from_addr; + msg.src_len = from_len; + + msg.oem_data = 0; + ++ msg.channel = lan->channel.channel_num; ++ msg.orig_channel = &lan->channel; ++ ++ /* ++ * Initialize the data so the log won't crash if it gets called, and ++ * so the log might have useful info. ++ */ ++ msg.data = data; ++ msg.len = len; ++ + if (len < 5) { + lan->sysinfo->log(lan->sysinfo, LAN_ERR, &msg, + "LAN msg failure: message too short"); + return; + } + ++ /* Length is at least marginally correct, skip the first part now. */ ++ msg.data = data + 5; ++ msg.len = len - 5; ++ + if (data[2] != 0xff) { + lan->sysinfo->log(lan->sysinfo, LAN_ERR, &msg, + "LAN msg failure: seq not ff"); +@@ -3045,10 +3061,6 @@ ipmi_handle_lan_msg(lanserv_data_t *lan, + "LAN msg failure: Invalid authtype"); + return; + } +- msg.data = data+5; +- msg.len = len - 5; +- msg.channel = lan->channel.channel_num; +- msg.orig_channel = &lan->channel; + + if (msg.authtype == IPMI_AUTHTYPE_RMCP_PLUS) { + ipmi_handle_rmcpp_msg(lan, &msg); +-- +2.43.0 + diff --git a/backport-0003-CVE-2024-42934.patch b/backport-0003-CVE-2024-42934.patch new file mode 100644 index 0000000000000000000000000000000000000000..8c512e6665226498ae4cbb605acb67ff70c3c4aa --- /dev/null +++ b/backport-0003-CVE-2024-42934.patch @@ -0,0 +1,50 @@ +From 4c129d0540f3578ecc078d8612bbf84b6cd24c87 Mon Sep 17 00:00:00 2001 +From: Corey Minyard +Date: Thu, 1 Aug 2024 10:56:06 -0500 +Subject: [PATCH] lanserv: Fix an issue with authorization range checking + +A recent change added a range check on authorization type, but it didn't +take into account the RMCP authorization type that's special. Add a +check for that. + +Fixes: b52e8e2538b2b48ef6b6 "lanserv: Check some bounds on incoming messages" + +Signed-off-by: Corey Minyard + +Reference:https://sourceforge.net/p/openipmi/code/ci/4c129d0540f3578ecc078d8612bbf84b6cd24c87/ +Conflict:NA + +--- + lanserv/lanserv_ipmi.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/lanserv/lanserv_ipmi.c b/lanserv/lanserv_ipmi.c +index 1ef5710..5de396e 100644 +--- a/lanserv/lanserv_ipmi.c ++++ b/lanserv/lanserv_ipmi.c +@@ -3056,18 +3056,15 @@ ipmi_handle_lan_msg(lanserv_data_t *lan, + } + + msg.authtype = data[4]; +- if (msg.authtype >= MAX_IPMI_AUTHS) { +- lan->sysinfo->log(lan->sysinfo, LAN_ERR, &msg, +- "LAN msg failure: Invalid authtype"); +- return; +- } +- + if (msg.authtype == IPMI_AUTHTYPE_RMCP_PLUS) { + ipmi_handle_rmcpp_msg(lan, &msg); ++ } else if (msg.authtype >= MAX_IPMI_AUTHS) { ++ lan->sysinfo->log(lan->sysinfo, LAN_ERR, &msg, ++ "LAN msg failure: Invalid authtype: %d", data[4]); ++ return; + } else { + ipmi_handle_rmcp_msg(lan, &msg); + } +- + } + + static void +-- +2.43.0 +