- Package:
- src:net-tools
- Source:
- src:net-tools
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2025-05-18 20:42:20 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for net-tools. CVE-2025-46836[0]: | net-tools is a collection of programs that form the base set of the | NET-3 networking distribution for the Linux operating system. Inn | versions up to and including 2.10, the Linux network utilities (like | ifconfig) from the net-tools package do not properly validate the | structure of /proc files when showing interfaces. `get_name()` in | `interface.c` copies interface labels from `/proc/net/dev` into a | fixed 16-byte stack buffer without bounds checking, leading to | possible arbitrary code execution or crash. The known attack path | does not require privilege but also does not provide privilege | escalation in this scenario. A patch is available and expected to be | part of version 2.20. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-46836 https://www.cve.org/CVERecord?id=CVE-2025-46836 [1] https://github.com/ecki/net-tools/security/advisories/GHSA-pfwf-h6m3-63wf [2] https://github.com/ecki/net-tools/commit/7a8f42fb20013a1493d8cae1c43436f85e656f2d Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Dear maintainer, I've prepared an NMU for net-tools (versioned as 2.10-1.2) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. Aiming to get the change in trixie ideally, thus already proposing the NMU, and uploading to delayed. Regards, Salvatore
Hi, FTR, Martina acknowledged offlist to move the upload directy, so have just rescheduled it, thank you! Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
net-tools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1105806@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated net-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 15 May 2025 05:43:50 +0200
Source: net-tools
Architecture: source
Version: 2.10-1.2
Distribution: unstable
Urgency: medium
Maintainer: net-tools Team <team+net-tools@tracker.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1105806
Changes:
net-tools (2.10-1.2) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2025-46836: interface.c: Stack-based Buffer Overflow in get_name()
(Closes: #1105806)
Checksums-Sha1:
58b1cd30e9c2deb7d7ad5074ac2986cd7c58802c 2123 net-tools_2.10-1.2.dsc
da24741a93ea17dd2121dc3c4372e85e0f077b7d 57500 net-tools_2.10-1.2.debian.tar.xz
Checksums-Sha256:
dcccf29d844549400f1f16eee42822322afa6a7cbf649b800187b4d5e8907099 2123 net-tools_2.10-1.2.dsc
558c1e43eb3c27d335a2fb2390bf3cc0105805966d7f91139228a65997de5ee0 57500 net-tools_2.10-1.2.debian.tar.xz
Files:
24bfda2a304e11b1e360c2b9205ab2f6 2123 net important net-tools_2.10-1.2.dsc
03a177f2f4c6ff2126e5bea77d575fca 57500 net important net-tools_2.10-1.2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmglY7dfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ea4wQAJbD7S4JGFrsuy6p7szJJZR2vXCKK50w
FN9OymClAnUKWA9Kj92HKYVAcEF8ponoX0qXxAioEGQ2ZqbU96AOa5Tvhy4g6TNo
qUH30S/OjCbqO+mc43qnlDw5kj2clUTpYV9y8ngUdjdqb4+Nkb862Y+fPNV4xkoN
3XSDchGJEtd9NUJlRTtvhZB/Jxj12zxiHwXwzbbPvzNSTiixXVgc7GYQDrw2GIQ4
+zYLYdadPkpyMYdCx+wwdh18PfyS7vf0IETE+ZQWp82Vl9B0GSt9L6luAo734p77
gnmmR+F0RyVy2lweoLJ8urzXPX5iD8o0MGhStvNb89Ep+ajP6QX1aCNCni91DL0p
cgs1M4bhK2kxvIDVQJ6+JEPq1P4dAvMm7xfzybg6ndBH5MvkZiziqof98ff7bXJ6
AaE3S7bhk34s6nGj6a8f4KQJbrqICCZ64zrKV1UDxbON//E3ko7BKHlOrZyQy9IE
eQYv60hZJ2Vhg+s4zMj92/mxw2a1Xz3NsafF864zvUbvV/LGLJEhM3wDSuNFl2Ax
VDAXURUJ9qNylF5cw6/yHg5BDQ0XsncidoTKjBTTCpsB4apd9e6HCpi5u88ybCk7
U+Xl+5erA5dQpZiyk6Y6xrFkGfzcAW6wBex9F/zekwPI6h4cMPQowfsM0a6H9nmH
3G/zU/fNECsw
=iyXv
-----END PGP SIGNATURE-----
hey, (sorry for top posting) yes, absolutely agreed. thank you for taking care of it. let me know if you need help with stable uploads. - u On Thu, May 15, 2025 at 3:44 PM Salvatore Bonaccorso <carnil@debian.org> wrote:
Hi Utkarsh, Thanks for the confirmation as well. Thanks. The update for bookwom-security is done as well, but I will wait a bit to actually release it (exposure in unstable). Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
net-tools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1105806@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated net-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 15 May 2025 05:52:03 +0200
Source: net-tools
Architecture: source
Version: 2.10-0.1+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: net-tools Team <team+net-tools@tracker.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1105806
Changes:
net-tools (2.10-0.1+deb12u1) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2025-46836: interface.c: Stack-based Buffer Overflow in get_name()
(Closes: #1105806)
Checksums-Sha1:
a160d29de8c51bea449593061b02d414e845d73f 2155 net-tools_2.10-0.1+deb12u1.dsc
4080baab0486dc882c3b293d5559c27251ae4268 229616 net-tools_2.10.orig.tar.xz
676825dfdb5cee151659be9a7db8671936aa5ccf 57464 net-tools_2.10-0.1+deb12u1.debian.tar.xz
Checksums-Sha256:
274ce1428ad99c42e131005d32d5818a8c345663f9ffe7b399d57f715eb80fad 2155 net-tools_2.10-0.1+deb12u1.dsc
b262435a5241e89bfa51c3cabd5133753952f7a7b7b93f32e08cb9d96f580d69 229616 net-tools_2.10.orig.tar.xz
7a3a2a4c80187cf00e96ee336b66ee9b6dff638be969d957ce822727fe35bd40 57464 net-tools_2.10-0.1+deb12u1.debian.tar.xz
Files:
c9f7993ffa6e3b1c7a5791b8a7a14c6a 2155 net important net-tools_2.10-0.1+deb12u1.dsc
78aae762c95e2d731faf88d482e4cde5 229616 net important net-tools_2.10.orig.tar.xz
17108dd6059ec87ededb7ecef2da3a42 57464 net important net-tools_2.10-0.1+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmglZgpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Emd8P/0I9g/yFW49n6+1SSTVvJ6rFpAmplcco
/2QGOGkXFBsHl8EOuCCbVS+HwyxW6FDZW/yU7qL1TtZrHlx5gONwddNzDD5y/uWg
63RHCwXOfvguaClSABH8Lsfp3tiL1XXjLjgo1t5rEYvOTE2rr0CsqrqCcqjkjQUG
I3RGc5bkE3IhP+7YdUq3iP8qikWtKPc4Lf0VGYqq9n7p0Cke5UEZEeg1XTLQK2wE
T27YlmWyhN112sz7b+CR4UxeFgjb8nPUCfIYM6uiUIPJLEYY0MxIo32yXcgsYKSl
svdCsmJt5R2TDbGQF7xPtM72Mnf4v6neWI3/plyoxbQTMGfX0tjDcx/7VEQzgUQH
BO3Gk1xXiHf+Dp17B881JQOAeO2Ctp3FHaauGRI6u/hAT6nkHtQETutPQTUDwMYf
8xoA6F4C62iEpu7kSM++13zQlB/gQKZhZad4tS9FvcFNhFBttocpxCa9RkCInCiW
LL5ObHFVsVSeaubKsPnI3IvdUil5Lan0Y1g/44oaW2CgZZQGQObP4NBZ4Y2ESw8c
uM/Pe7+j1b3/asj63Zb+2EAjIg3x6O4xGdwfJL2SL8xCFO08LqR2jSXnIi5WjAR2
ivDmHEzVvp4poNfpDMLicG3uOuegDQFjn/WVsSkdB7bBKG/Oc1ZMY4J2CJYzW3ZX
mettoF0kFjBX
=BjR0
-----END PGP SIGNATURE-----