1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1105806: net-tools: CVE-2025-46836

    From Salvatore Bonaccorso@21:1/5 to All on Thu May 15 05:50:01 2025
    Source: net-tools
    Version: 2.10-1.1
    Severity: grave
    Tags: security upstream
    Justification: user security hole
    X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

    Hi,

    The following vulnerability was published for net-tools.

    CVE-2025-46836[0]:
    | net-tools is a collection of programs that form the base set of the
    | NET-3 networking distribution for the Linux operating system. Inn
    | versions up to and including 2.10, the Linux network utilities (like
    | ifconfig) from the net-tools package do not properly validate the
    | structure of /proc files when showing interfaces. `get_name()` in
    | `interface.c` copies interface labels from `/proc/net/dev` into a
    | fixed 16-byte stack buffer without bounds checking, leading to
    | possible arbitrary code execution or crash. The known attack path
    | does not require privilege but also does not provide privilege
    | escalation in this scenario. A patch is available and expected to be
    | part of version 2.20.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-46836
    https://www.cve.org/CVERecord?id=CVE-2025-46836
    [1] https://github.com/ecki/net-tools/security/advisories/GHSA-pfwf-h6m3-63wf [2] https://github.com/ecki/net-tools/commit/7a8f42fb20013a1493d8cae1c43436f85e656f2d

    Please adjust the affected versions in the BTS as needed.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Thu May 15 16:00:01 2025
    This is a multi-part message in MIME format...

    Your message dated Thu, 15 May 2025 13:50:10 +0000
    with message-id <[email protected]>
    and subject line Bug#1105806: fixed in net-tools 2.10-1.2
    has caused the Debian Bug report #1105806,
    regarding net-tools: CVE-2025-46836
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected]
    immediately.)


    --
    1105806: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105806
    Debian Bug Tracking System
    Contact [email protected] with problems

    Received: (at submit) by bugs.debian.org; 15 May 2025 03:38:46 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-10.9 required=4.0 tests=BAYES_00,FOURLA,
    FROMDEVELOPER,MD5_SHA1_SUM,SPF_HELO_NONE,SPF_NONE,XMAILER_REPORTBUG
    autolearn=ham autolearn_force=no
    version=3.4.6-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 24; hammy, 150; neutral, 78; spammy,
    0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
    0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--H*M:valinor,
    0.000-+--H*M:reportbug
    Return-path: <[email protected]>
    Received: from elende.valinor.li ([2a01:4f9:6a:1c47::2]:38348)
    by buxtehude.debian.org with esmtp (Exim 4.94.2)
    (envelope-from <[email protected]>)
    id 1uFPQi-00DyYK-Oc
    for [email protected]; Th
  • From Debian Bug Tracking System@21:1/5 to All on Sun May 18 22:50:01 2025
    This is a multi-part message in MIME format...

    Your message dated Sun, 18 May 2025 20:40:24 +0000
    with message-id <[email protected]>
    and subject line Bug#1105806: fixed in net-tools 2.10-0.1+deb12u1
    has caused the Debian Bug report #1105806,
    regarding net-tools: CVE-2025-46836
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected]
    immediately.)


    --
    1105806: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105806
    Debian Bug Tracking System
    Contact [email protected] with problems

    Received: (at submit) by bugs.debian.org; 15 May 2025 03:38:46 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-10.9 required=4.0 tests=BAYES_00,FOURLA,
    FROMDEVELOPER,MD5_SHA1_SUM,SPF_HELO_NONE,SPF_NONE,XMAILER_REPORTBUG
    autolearn=ham autolearn_force=no
    version=3.4.6-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 24; hammy, 150; neutral, 78; spammy,
    0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
    0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--H*M:valinor,
    0.000-+--H*M:reportbug
    Return-path: <[email protected]>
    Received: from elende.valinor.li ([2a01:4f9:6a:1c47::2]:38348)
    by buxtehude.debian.org with esmtp (Exim 4.94.2)
    (envelope-from <[email protected]>)
    id 1uFPQi-00DyYK-Oc
    for [email protected]; Th