packages/OpenIPMI
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2024-42934

Browse Source
This commit is contained in:
yangl777 2024-10-11 12:08:08 +00:00
parent 4c6abb0fb9
commit 1283a3cb97
4 changed files with 177 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
OpenIPMI.spec
View File

@ -1,6 +1,6 @@
Name: OpenIPMI
Version: 2.0.34
Release: 1
Release: 2
Summary: IPMI (Intelligent Platform Management Interface) library and tools
License: LGPLv2+ and GPLv2+ or BSD
URL: https://sourceforge.net/projects/openipmi/
@ -10,6 +10,9 @@ Source2: ipmi.service
Source3: openipmi-helper
Patch0: 0001-man.patch
Patch1: backport-0001-CVE-2024-42934.patch
Patch2: backport-0002-CVE-2024-42934.patch
Patch3: backport-0003-CVE-2024-42934.patch
BuildRequires: make gdbm-devel swig glib2-devel net-snmp-devel ncurses-devel
BuildRequires: openssl-devel python3-devel perl-devel perl-generators
@ -146,6 +149,12 @@ make check
%exclude %{_mandir}/man1/openipmigui.1
%changelog
* Fri Oct 11 2024 yanglu <yanglu72@h-partners.com> - 2.0.34-2
- Type:CVE
- CVE:CVE-2024-42934
- SUG:NA
- DESC:fix CVE-2024-42934
* Fri Jan 05 2024 yanglu <yanglu72@h-partners.com> - 2.0.34-1
- Type:requirement
- CVE:NA

46
backport-0001-CVE-2024-42934.patch Normal file
View File

@ -0,0 +1,46 @@
From b52e8e2538b2b48ef6b63bff12b5cc9e2d52eff1 Mon Sep 17 00:00:00 2001
From: Corey Minyard <minyard@acm.org>
Date: Mon, 29 Apr 2024 12:46:23 -0500
Subject: [PATCH] lanserv: Check some bounds on incoming messages
Signed-off-by: Corey Minyard <minyard@acm.org>
Reference:https://sourceforge.net/p/openipmi/code/ci/b52e8e2538b2b48ef6b63bff12b5cc9e2d52eff1/
Conflict:NA
---
lanserv/lanserv_ipmi.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/lanserv/lanserv_ipmi.c b/lanserv/lanserv_ipmi.c
index ccd6001..0ee6451 100644
--- a/lanserv/lanserv_ipmi.c
+++ b/lanserv/lanserv_ipmi.c
@@ -882,6 +882,12 @@ handle_temp_session(lanserv_data_t *lan, msg_t *msg)
}
auth = msg->data[0] & 0xf;
+ if (auth >= MAX_IPMI_AUTHS) {
+ lan->sysinfo->log(lan->sysinfo, NEW_SESSION_FAILED, msg,
+ "Activate session failed: Invalid auth: 0x%x", auth);
+ return;
+ }
+
user = &(lan->users[user_idx]);
if (! (user->valid)) {
lan->sysinfo->log(lan->sysinfo, NEW_SESSION_FAILED, msg,
@@ -3034,6 +3040,11 @@ ipmi_handle_lan_msg(lanserv_data_t *lan,
}
msg.authtype = data[4];
+ if (msg.authtype >= MAX_IPMI_AUTHS) {
+ lan->sysinfo->log(lan->sysinfo, LAN_ERR, &msg,
+ "LAN msg failure: Invalid authtype");
+ return;
+ }
msg.data = data+5;
msg.len = len - 5;
msg.channel = lan->channel.channel_num;
--
2.43.0

71
backport-0002-CVE-2024-42934.patch Normal file
View File

@ -0,0 +1,71 @@
From 663e3cd3b6d1d9fc82267c7d7474320cb67e03a4 Mon Sep 17 00:00:00 2001
From: Corey Minyard <minyard@acm.org>
Date: Sun, 2 Jun 2024 14:11:16 -0500
Subject: [PATCH] lanserv: Fix an issue logging an error on a message
A message structure was passed to the log, but it was not sufficiently
initialized and the logging program crashed. Rework the initialization
to make the message data ready and legal for the logging calls.
Found-by: Fabio Massimo Di Nitto
Signed-off-by: Corey Minyard <minyard@acm.org>
Reference:https://sourceforge.net/p/openipmi/code/ci/663e3cd3b6d1d9fc82267c7d7474320cb67e03a4/
Conflict:NA
---
lanserv/lanserv_ipmi.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/lanserv/lanserv_ipmi.c b/lanserv/lanserv_ipmi.c
index 0ee6451..1ef5710 100644
--- a/lanserv/lanserv_ipmi.c
+++ b/lanserv/lanserv_ipmi.c
@@ -3022,17 +3022,33 @@ ipmi_handle_lan_msg(lanserv_data_t *lan,
{
msg_t msg;
+ memset(&msg, 0, sizeof(msg));
+
msg.src_addr = from_addr;
msg.src_len = from_len;
msg.oem_data = 0;
+ msg.channel = lan->channel.channel_num;
+ msg.orig_channel = &lan->channel;
+
+ /*
+ * Initialize the data so the log won't crash if it gets called, and
+ * so the log might have useful info.
+ */
+ msg.data = data;
+ msg.len = len;
+
if (len < 5) {
lan->sysinfo->log(lan->sysinfo, LAN_ERR, &msg,
"LAN msg failure: message too short");
return;
}
+ /* Length is at least marginally correct, skip the first part now. */
+ msg.data = data + 5;
+ msg.len = len - 5;
+
if (data[2] != 0xff) {
lan->sysinfo->log(lan->sysinfo, LAN_ERR, &msg,
"LAN msg failure: seq not ff");
@@ -3045,10 +3061,6 @@ ipmi_handle_lan_msg(lanserv_data_t *lan,
"LAN msg failure: Invalid authtype");
return;
}
- msg.data = data+5;
- msg.len = len - 5;
- msg.channel = lan->channel.channel_num;
- msg.orig_channel = &lan->channel;
if (msg.authtype == IPMI_AUTHTYPE_RMCP_PLUS) {
ipmi_handle_rmcpp_msg(lan, &msg);
--
2.43.0

50
backport-0003-CVE-2024-42934.patch Normal file
View File

@ -0,0 +1,50 @@
From 4c129d0540f3578ecc078d8612bbf84b6cd24c87 Mon Sep 17 00:00:00 2001
From: Corey Minyard <corey@minyard.net>
Date: Thu, 1 Aug 2024 10:56:06 -0500
Subject: [PATCH] lanserv: Fix an issue with authorization range checking
A recent change added a range check on authorization type, but it didn't
take into account the RMCP authorization type that's special. Add a
check for that.
Fixes: b52e8e2538b2b48ef6b6 "lanserv: Check some bounds on incoming messages"
Signed-off-by: Corey Minyard <corey@minyard.net>
Reference:https://sourceforge.net/p/openipmi/code/ci/4c129d0540f3578ecc078d8612bbf84b6cd24c87/
Conflict:NA
---
lanserv/lanserv_ipmi.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/lanserv/lanserv_ipmi.c b/lanserv/lanserv_ipmi.c
index 1ef5710..5de396e 100644
--- a/lanserv/lanserv_ipmi.c
+++ b/lanserv/lanserv_ipmi.c
@@ -3056,18 +3056,15 @@ ipmi_handle_lan_msg(lanserv_data_t *lan,
}
msg.authtype = data[4];
- if (msg.authtype >= MAX_IPMI_AUTHS) {
- lan->sysinfo->log(lan->sysinfo, LAN_ERR, &msg,
- "LAN msg failure: Invalid authtype");
- return;
- }
-
if (msg.authtype == IPMI_AUTHTYPE_RMCP_PLUS) {
ipmi_handle_rmcpp_msg(lan, &msg);
+ } else if (msg.authtype >= MAX_IPMI_AUTHS) {
+ lan->sysinfo->log(lan->sysinfo, LAN_ERR, &msg,
+ "LAN msg failure: Invalid authtype: %d", data[4]);
+ return;
} else {
ipmi_handle_rmcp_msg(lan, &msg);
}
-
}
static void
--
2.43.0