diff --git a/ipmitool-CVE-2020-5208-Fix-buffer-overflow-in-ipmi_get_session_info.patch b/ipmitool-CVE-2020-5208-Fix-buffer-overflow-in-ipmi_get_session_info.patch new file mode 100644 index 0000000000000000000000000000000000000000..aa19f8f0a36ba11e639c32b4b7793752fc4e1d83 --- /dev/null +++ b/ipmitool-CVE-2020-5208-Fix-buffer-overflow-in-ipmi_get_session_info.patch @@ -0,0 +1,44 @@ +From 5ab6d04b43ebdce0b7de62cae051cd554e9a52a1 Mon Sep 17 00:00:00 2001 +From: fengtao40 +Date: Tue, 11 Feb 2020 21:08:07 -0500 +Subject: [PATCH] Fix buffer overflow in ipmi_get_session_info + +--- + lib/ipmi_session.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/lib/ipmi_session.c b/lib/ipmi_session.c +index 141f0f4..01d3c24 100644 +--- a/lib/ipmi_session.c ++++ b/lib/ipmi_session.c +@@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf * intf, + } + else + { +- memcpy(&session_info, rsp->data, rsp->data_len); +- print_session_info(&session_info, rsp->data_len); ++ memcpy(&session_info, rsp->data, ++ __min(rsp->data_len, sizeof(session_info))); ++ print_session_info(&session_info, ++ __min(rsp->data_len, sizeof(session_info))); + } + break; + +@@ -341,9 +343,11 @@ ipmi_get_session_info(struct ipmi_intf * intf, + break; + } + +- memcpy(&session_info, rsp->data, rsp->data_len); +- print_session_info(&session_info, rsp->data_len); +- ++ memcpy(&session_info, rsp->data, ++ __min(rsp->data_len, sizeof(session_info))); ++ print_session_info(&session_info, ++ __min(rsp->data_len, sizeof(session_info))); ++ + } while (i <= session_info.session_slot_count); + break; + } +-- +2.19.1 + diff --git a/ipmitool-CVE-2020-5208-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch b/ipmitool-CVE-2020-5208-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch new file mode 100644 index 0000000000000000000000000000000000000000..444c3d4342693ec07ca7b7534adfaea4f68c6e8b --- /dev/null +++ b/ipmitool-CVE-2020-5208-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch @@ -0,0 +1,39 @@ +From 6989c8413f80429b6c82d1fef4c8d0a79daf6d7b Mon Sep 17 00:00:00 2001 +From: fengtao40 +Date: Tue, 11 Feb 2020 21:05:31 -0500 +Subject: [PATCH] Fix buffer overflow in ipmi_spd_print_fru + +--- + lib/dimm_spd.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c +index 41e30db..68f3b4f 100644 +--- a/lib/dimm_spd.c ++++ b/lib/dimm_spd.c +@@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id) + struct ipmi_rq req; + struct fru_info fru; + uint8_t *spd_data, msg_data[4]; +- int len, offset; ++ uint32_t len, offset; + + msg_data[0] = id; + +@@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id) + } + + len = rsp->data[0]; ++ if(rsp->data_len < 1 ++ || len > rsp->data_len - 1 ++ || len > fru.size - offset) ++ { ++ printf(" Not enough buffer size"); ++ return -1; ++ } + memcpy(&spd_data[offset], rsp->data + 1, len); + offset += len; + } while (offset < fru.size); +-- +2.19.1 + diff --git a/ipmitool-CVE-2020-5208-Fix-buffer-overflow-vulnerabilities.patch b/ipmitool-CVE-2020-5208-Fix-buffer-overflow-vulnerabilities.patch new file mode 100644 index 0000000000000000000000000000000000000000..30d77f004ceaece7c1b389318fad68ee582c5d50 --- /dev/null +++ b/ipmitool-CVE-2020-5208-Fix-buffer-overflow-vulnerabilities.patch @@ -0,0 +1,120 @@ +From 2d516d6f1193a55c89a95b59b7d58fec6210e996 Mon Sep 17 00:00:00 2001 +From: fengtao40 +Date: Tue, 11 Feb 2020 21:02:08 -0500 +Subject: [PATCH] Fix buffer overflow vulnerabilities + +--- + lib/ipmi_fru.c | 35 ++++++++++++++++++++++++++++++++--- + 1 file changed, 32 insertions(+), 3 deletions(-) + +diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c +index ad99ebe..7911bae 100644 +--- a/lib/ipmi_fru.c ++++ b/lib/ipmi_fru.c +@@ -614,7 +614,10 @@ int + read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + uint32_t offset, uint32_t length, uint8_t *frubuf) + { +- uint32_t off = offset, tmp, finish; ++ uint32_t off = offset; ++ uint32_t tmp; ++ uint32_t finish; ++ uint32_t size_left_in_buffer; + struct ipmi_rs * rsp; + struct ipmi_rq req; + uint8_t msg_data[4]; +@@ -627,10 +630,12 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + + finish = offset + length; + if (finish > fru->size) { ++ memset(frubuf + fru->size, 0, length - fru->size); + finish = fru->size; + lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " + "Adjusting to %d", + offset + length, finish - offset); ++ length = finish - offset; + } + + memset(&req, 0, sizeof(req)); +@@ -666,6 +671,7 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + } + } + ++ size_left_in_buffer = length; + do { + tmp = fru->access ? off >> 1 : off; + msg_data[0] = id; +@@ -706,9 +712,18 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + } + + tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; ++ if(rsp->data_len < 1 ++ || tmp > rsp->data_len - 1 ++ || tmp > size_left_in_buffer) ++ { ++ printf(" Not enough buffer size"); ++ return -1; ++ } ++ + memcpy(frubuf, rsp->data + 1, tmp); + off += tmp; + frubuf += tmp; ++ size_left_in_buffer -= tmp; + /* sometimes the size returned in the Info command + * is too large. return 0 so higher level function + * still attempts to parse what was returned */ +@@ -741,7 +756,9 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + uint32_t offset, uint32_t length, uint8_t *frubuf) + { + static uint32_t fru_data_rqst_size = 20; +- uint32_t off = offset, tmp, finish; ++ uint32_t off = offset; ++ uint32_t tmp, finish; ++ uint32_t size_left_in_buffer; + struct ipmi_rs * rsp; + struct ipmi_rq req; + uint8_t msg_data[4]; +@@ -753,11 +770,13 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + } + + finish = offset + length; +- if (finish > fru->size) { ++ if (finish > fru->size) { ++ memset(frubuf + fru->size, 0, length - fru->size); + finish = fru->size; + lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " + "Adjusting to %d", + offset + length, finish - offset); ++ length = finish - offset; + } + + memset(&req, 0, sizeof(req)); +@@ -772,6 +791,8 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + if (fru->access && fru_data_rqst_size > 16) + #endif + fru_data_rqst_size = 16; ++ ++ size_left_in_buffer = length; + do { + tmp = fru->access ? off >> 1 : off; + msg_data[0] = id; +@@ -803,8 +824,16 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + } + + tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; ++ if(rsp->data_len < 1 ++ || tmp > rsp->data_len - 1 ++ || tmp > size_left_in_buffer) ++ { ++ printf(" Not enough buffer size"); ++ return -1; ++ } + memcpy((frubuf + off)-offset, rsp->data + 1, tmp); + off += tmp; ++ size_left_in_buffer -= tmp; + + /* sometimes the size returned in the Info command + * is too large. return 0 so higher level function +-- +2.19.1 + diff --git a/ipmitool-CVE-2020-5208-Fix-buffer-overflow.patch b/ipmitool-CVE-2020-5208-Fix-buffer-overflow.patch new file mode 100644 index 0000000000000000000000000000000000000000..fc23c9116bd9950e55943f504e45a39f7e782dec --- /dev/null +++ b/ipmitool-CVE-2020-5208-Fix-buffer-overflow.patch @@ -0,0 +1,97 @@ +From 4705fa040e114ed480d153c262bcb6f9963b6380 Mon Sep 17 00:00:00 2001 +From: fengtao40 +Date: Tue, 11 Feb 2020 21:13:33 -0500 +Subject: [PATCH] Fix buffer overflow + +--- + include/ipmitool/ipmi_channel.h | 45 +++++++++++++++++++++++++++++++++ + lib/ipmi_channel.c | 10 ++++++-- + 2 files changed, 53 insertions(+), 2 deletions(-) + +diff --git a/include/ipmitool/ipmi_channel.h b/include/ipmitool/ipmi_channel.h +index 3ade2d5..1e9d097 100644 +--- a/include/ipmitool/ipmi_channel.h ++++ b/include/ipmitool/ipmi_channel.h +@@ -81,6 +81,51 @@ struct channel_access_t { + uint8_t user_level_auth; + }; + ++/* ++ * The Cipher Suite Record Format from table 22-18 of the IPMI v2.0 spec ++ */ ++enum cipher_suite_format_tag { ++ STANDARD_CIPHER_SUITE = 0xc0, ++ OEM_CIPHER_SUITE = 0xc1, ++}; ++#ifdef HAVE_PRAGMA_PACK ++#pragma pack(1) ++#endif ++struct std_cipher_suite_record_t { ++ uint8_t start_of_record; ++ uint8_t cipher_suite_id; ++ uint8_t auth_alg; ++ uint8_t integrity_alg; ++ uint8_t crypt_alg; ++} ATTRIBUTE_PACKING; ++struct oem_cipher_suite_record_t { ++ uint8_t start_of_record; ++ uint8_t cipher_suite_id; ++ uint8_t iana[3]; ++ uint8_t auth_alg; ++ uint8_t integrity_alg; ++ uint8_t crypt_alg; ++} ATTRIBUTE_PACKING; ++#ifdef HAVE_PRAGMA_PACK ++#pragma pack(0) ++#endif ++#define CIPHER_ALG_MASK 0x3f ++#define MAX_CIPHER_SUITE_RECORD_OFFSET 0x40 ++#define MAX_CIPHER_SUITE_DATA_LEN 0x10 ++#define LIST_ALGORITHMS_BY_CIPHER_SUITE 0x80 ++ ++/* Below is the theoretical maximum number of cipher suites that could be ++ * reported by a BMC. That is with the Get Channel Cipher Suites Command, at 16 ++ * bytes at a time and 0x40 requests, it can report 1024 bytes, which is about ++ * 204 standard records or 128 OEM records. Really, we probably don't need more ++ * than about 20, which is the full set of standard records plus a few OEM ++ * records. ++ */ ++#define MAX_CIPHER_SUITE_COUNT (MAX_CIPHER_SUITE_RECORD_OFFSET * \ ++ MAX_CIPHER_SUITE_DATA_LEN / \ ++ sizeof(struct std_cipher_suite_record_t)) ++ ++ + /* + * The Get Authentication Capabilities response structure + * From table 22-15 of the IPMI v2.0 spec +diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c +index e1fc75f..025ee74 100644 +--- a/lib/ipmi_channel.c ++++ b/lib/ipmi_channel.c +@@ -378,7 +378,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type, + lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); + return -1; + } +- if (rsp->ccode > 0) { ++ if (rsp->ccode ++ || rsp->data_len < 1 ++ || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN) ++ { + lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", + val2str(rsp->ccode, completion_code_vals)); + return -1; +@@ -413,7 +416,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type, + lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); + return -1; + } +- if (rsp->ccode > 0) { ++ if (rsp->ccode ++ || rsp->data_len < 1 ++ || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN) ++ { + lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", + val2str(rsp->ccode, completion_code_vals)); + return -1; +-- +2.19.1 + diff --git a/ipmitool-CVE-2020-5208-Fix-buffer-overflows-in-get_lan_param_select.patch b/ipmitool-CVE-2020-5208-Fix-buffer-overflows-in-get_lan_param_select.patch new file mode 100644 index 0000000000000000000000000000000000000000..a82d8cbeb5cbbf2fe4c768e14c293eb6ba5cd712 --- /dev/null +++ b/ipmitool-CVE-2020-5208-Fix-buffer-overflows-in-get_lan_param_select.patch @@ -0,0 +1,79 @@ +From f73d9750428670108c5c727fe2a57b165f2b1142 Mon Sep 17 00:00:00 2001 +From: fengtao40 +Date: Tue, 11 Feb 2020 21:16:29 -0500 +Subject: [PATCH] Fix buffer overflows in get_lan_param_select + +--- + lib/ipmi_lanp.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/lib/ipmi_lanp.c b/lib/ipmi_lanp.c +index 65d881b..022c7f1 100644 +--- a/lib/ipmi_lanp.c ++++ b/lib/ipmi_lanp.c +@@ -1809,7 +1809,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + /* set new ipaddr */ + memcpy(data+3, temp, 4); + printf("Setting LAN Alert %d IP Address to %d.%d.%d.%d\n", alert, +@@ -1824,7 +1824,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + /* set new macaddr */ + memcpy(data+7, temp, 6); + printf("Setting LAN Alert %d MAC Address to " +@@ -1838,7 +1838,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + + if (strncasecmp(argv[1], "def", 3) == 0 || + strncasecmp(argv[1], "default", 7) == 0) { +@@ -1864,7 +1864,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + + if (strncasecmp(argv[1], "on", 2) == 0 || + strncasecmp(argv[1], "yes", 3) == 0) { +@@ -1889,7 +1889,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + + if (strncasecmp(argv[1], "pet", 3) == 0) { + printf("Setting LAN Alert %d destination to PET Trap\n", alert); +@@ -1917,7 +1917,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + + if (str2uchar(argv[1], &data[2]) != 0) { + lprintf(LOG_ERR, "Invalid time: %s", argv[1]); +@@ -1933,7 +1933,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + + if (str2uchar(argv[1], &data[3]) != 0) { + lprintf(LOG_ERR, "Invalid retry: %s", argv[1]); +-- +2.19.1 + diff --git a/ipmitool-CVE-2020-5208-Fix-id_string-buffer-overflows.patch b/ipmitool-CVE-2020-5208-Fix-id_string-buffer-overflows.patch new file mode 100644 index 0000000000000000000000000000000000000000..a43f68545060c18610ffc5a47e48f01497f519ce --- /dev/null +++ b/ipmitool-CVE-2020-5208-Fix-id_string-buffer-overflows.patch @@ -0,0 +1,122 @@ +From a95a92b104b388b5decac4b66f4cf15d5676a782 Mon Sep 17 00:00:00 2001 +From: fengtao40 +Date: Tue, 11 Feb 2020 21:22:20 -0500 +Subject: [PATCH] Fix id_string buffer overflows + +--- + lib/ipmi_fru.c | 2 +- + lib/ipmi_sdr.c | 40 ++++++++++++++++++++++++---------------- + 2 files changed, 25 insertions(+), 17 deletions(-) + +diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c +index 7911bae..e5b637c 100644 +--- a/lib/ipmi_fru.c ++++ b/lib/ipmi_fru.c +@@ -3027,7 +3027,7 @@ ipmi_fru_print(struct ipmi_intf * intf, struct sdr_record_fru_locator * fru) + return 0; + + memset(desc, 0, sizeof(desc)); +- memcpy(desc, fru->id_string, fru->id_code & 0x01f); ++ memcpy(desc, fru->id_string, __min(fru->id_code & 0x01f, sizeof(desc))); + desc[fru->id_code & 0x01f] = 0; + printf("FRU Device Description : %s (ID %d)\n", desc, fru->device_id); + +diff --git a/lib/ipmi_sdr.c b/lib/ipmi_sdr.c +index e5ee115..254073d 100644 +--- a/lib/ipmi_sdr.c ++++ b/lib/ipmi_sdr.c +@@ -2086,7 +2086,7 @@ ipmi_sdr_print_sensor_eventonly(struct ipmi_intf *intf, + return -1; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (sensor->id_code & 0x1f) + 1, "%s", sensor->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (sensor->id_code & 0x1f) + 1, sensor->id_string); + + if (verbose) { + printf("Sensor ID : %s (0x%x)\n", +@@ -2137,7 +2137,7 @@ ipmi_sdr_print_sensor_mc_locator(struct ipmi_intf *intf, + return -1; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (mc->id_code & 0x1f) + 1, "%s", mc->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (mc->id_code & 0x1f) + 1, mc->id_string); + + if (verbose == 0) { + if (csv_output) +@@ -2230,7 +2230,7 @@ ipmi_sdr_print_sensor_generic_locator(struct ipmi_intf *intf, + char desc[17]; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (dev->id_code & 0x1f) + 1, "%s", dev->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (dev->id_code & 0x1f) + 1, dev->id_string); + + if (!verbose) { + if (csv_output) +@@ -2287,7 +2287,7 @@ ipmi_sdr_print_sensor_fru_locator(struct ipmi_intf *intf, + char desc[17]; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (fru->id_code & 0x1f) + 1, "%s", fru->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (fru->id_code & 0x1f) + 1, fru->id_string); + + if (!verbose) { + if (csv_output) +@@ -2491,35 +2491,43 @@ ipmi_sdr_print_name_from_rawentry(struct ipmi_intf *intf, uint16_t id, + + int rc =0; + char desc[17]; ++ const char *id_string; ++ uint8_t id_code; + memset(desc, ' ', sizeof (desc)); + + switch ( type) { + case SDR_RECORD_TYPE_FULL_SENSOR: + record.full = (struct sdr_record_full_sensor *) raw; +- snprintf(desc, (record.full->id_code & 0x1f) +1, "%s", +- (const char *)record.full->id_string); ++ id_code = record.full->id_code; ++ id_string = record.full->id_string; + break; ++ + case SDR_RECORD_TYPE_COMPACT_SENSOR: + record.compact = (struct sdr_record_compact_sensor *) raw ; +- snprintf(desc, (record.compact->id_code & 0x1f) +1, "%s", +- (const char *)record.compact->id_string); ++ id_code = record.compact->id_code; ++ id_string = record.compact->id_string; + break; ++ + case SDR_RECORD_TYPE_EVENTONLY_SENSOR: + record.eventonly = (struct sdr_record_eventonly_sensor *) raw ; +- snprintf(desc, (record.eventonly->id_code & 0x1f) +1, "%s", +- (const char *)record.eventonly->id_string); +- break; ++ id_code = record.eventonly->id_code; ++ id_string = record.eventonly->id_string; ++ break; ++ + case SDR_RECORD_TYPE_MC_DEVICE_LOCATOR: + record.mcloc = (struct sdr_record_mc_locator *) raw ; +- snprintf(desc, (record.mcloc->id_code & 0x1f) +1, "%s", +- (const char *)record.mcloc->id_string); ++ id_code = record.mcloc->id_code; ++ id_string = record.mcloc->id_string; + break; ++ + default: + rc = -1; +- break; +- } ++ } ++ if (!rc) { ++ snprintf(desc, sizeof(desc), "%.*s", (id_code & 0x1f) + 1, id_string); ++ } + +- lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); ++ lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); + return rc; + } + +-- +2.19.1 + diff --git a/ipmitool.spec b/ipmitool.spec index f32a0666a652b5abbbe6c4f1c9c7a5ff28a22b40..9e8750314f617c12b46193634cba77a4c48d3add 100644 --- a/ipmitool.spec +++ b/ipmitool.spec @@ -1,6 +1,6 @@ Name: ipmitool Version: 1.8.18 -Release: 12 +Release: 13 Summary: Utility for IPMI control License: BSD URL: http://ipmitool.sourceforge.net/ @@ -36,6 +36,13 @@ Patch6017: fru-swap-free-calls-for-free_n.patch Patch6018: Refactor-free_n-function.patch Patch6019: open-checking-received-msg-id-against-expectation.patch +Patch6020: ipmitool-CVE-2020-5208-Fix-buffer-overflow-vulnerabilities.patch +Patch6021: ipmitool-CVE-2020-5208-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch +Patch6022: ipmitool-CVE-2020-5208-Fix-buffer-overflow-in-ipmi_get_session_info.patch +Patch6023: ipmitool-CVE-2020-5208-Fix-buffer-overflow.patch +Patch6024: ipmitool-CVE-2020-5208-Fix-buffer-overflows-in-get_lan_param_select.patch +Patch6025: ipmitool-CVE-2020-5208-Fix-id_string-buffer-overflows.patch + BuildRequires: openssl-devel readline-devel ncurses-devel git %{?systemd_requires} BuildRequires: systemd @@ -122,6 +129,9 @@ install -Dm 755 contrib/bmc-snmp-proxy %{buildroot}%{_libexecdir}/bmc-sn %{_mandir}/man8/ipmievd.8* %changelog +* Fri Mar 13 2020 openEuler Buildteam - 1.8.18-13 +- fix CVE-2020-5208 + * Mon Jan 6 2020 openEuler Buildteam - 1.8.18-12 - update software package