ipmitool: fix CVE-2020-5208

All patches has been applied upstream. Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2025-12-22 01:44:32 +04:00 · 2020-06-06 03:30:37 +02:00
parent ec0b891b62
commit b2a9219f73
7 changed files with 488 additions and 1 deletions
--- a/admin/ipmitool/patches/0009-CVE-2020-5208-channel-Fix-buffer-overflow.patch
+++ b/admin/ipmitool/patches/0009-CVE-2020-5208-channel-Fix-buffer-overflow.patch
@@ -0,0 +1,37 @@
+From 743dd4faa302f22950e4438cf684e1e398eb47eb Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 16:56:38 +0000
+Subject: [PATCH 09/11] channel: Fix buffer overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Partial fix for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+The `ipmi_get_channel_cipher_suites` function does not properly check
+the final response’s `data_len`, which can lead to stack buffer overflow
+on the final copy.
+---
+ lib/ipmi_channel.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c
+index fab2e5483d12..8cd7c59a4273 100644
+--- a/lib/ipmi_channel.c
+++ b/lib/ipmi_channel.c
+@@ -413,7 +413,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type,
+ 			lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
+ 			return -1;
+ 		}
+-		if (rsp->ccode > 0) {
+		if (rsp->ccode
+		    || rsp->data_len < 1
+		    || rsp->data_len > sizeof(uint8_t) + 0x10)
+		{
+ 			lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
+ 					val2str(rsp->ccode, completion_code_vals));
+ 			return -1;
+-- 
+2.27.0
+