!19 fix CVE-2024-52949

From: @yangl777 
Reviewed-by: @robertxw 
Signed-off-by: @robertxw

0001-BUGFIX-fix-Floating-point-exception-in-tcplog_flowra.patch

@@ -1,37 +0,0 @@
-From 9b320138755542b927df650da0bd1e61ecaa41d7 Mon Sep 17 00:00:00 2001
-Message-Id: <9b320138755542b927df650da0bd1e61ecaa41d7.1378117677.git.npajkovs@redhat.com>
-From: Vitezslav Samel <vitezslav@samel.cz>
-Date: Thu, 29 Aug 2013 10:11:42 +0200
-Subject: [PATCH] BUGFIX: fix "Floating point exception" in
- tcplog_flowrate_msg()
-
-commit 0d55bee "tcplog_flowrate_msg(): cleanup and fix") removed
-condition, which leads to zero division.
-
-Time diff between current time and ->conn_starttime is 0, because of
-rate_print updates happen in less then 1 sec and later on, we try to
-divide ->bcount by interval, which is 0, hencs zero division.
-
-Reported-by: Erik K. <ummeegge@ipfire.org>
-Signed-off-by: Vitezslav Samel <vitezslav@samel.cz>
-Signed-off-by: Nikola Pajkovsky <npajkovs@redhat.com>
----
- src/tcptable.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/tcptable.c b/src/tcptable.c
-index a4133d9..e217b19 100644
---- a/src/tcptable.c
-+++ b/src/tcptable.c
-@@ -437,6 +437,8 @@ static char *tcplog_flowrate_msg(struct tcptableent *entry, char *buf,
- 				 size_t bufsize)
- {
- 	time_t interval = time(NULL) - entry->conn_starttime;
-+	if (interval < 1)
-+		interval = 1;
- 
- 	char rbuf[64];
- 	rate_print(entry->bcount / interval, rbuf, sizeof(rbuf));
--- 
-1.8.1.2
-

0002-Makefile-add-Werror-format-security.patch

@@ -1,79 +0,0 @@
-From 202b2e7b27a159d54a525b0cfd366b8d52d5a3a1 Mon Sep 17 00:00:00 2001
-Message-Id: <202b2e7b27a159d54a525b0cfd366b8d52d5a3a1.1386069831.git.npajkovs@redhat.com>
-From: Nikola Pajkovsky <npajkovs@redhat.com>
-Date: Tue, 3 Dec 2013 12:12:16 +0100
-Subject: [PATCH] Makefile: add -Werror=format-security
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
--Wformat-security
-        If -Wformat is specified, also warn about uses of format
-        functions that represent possible security problems. At
-        present, this warns about calls to printf and scanf functions
-        where the format string is not a string literal and there are
-        no format arguments, as in printf (foo);. This may be a
-        security hole if the format string came from untrusted input
-        and contains ‘%n’. (This is currently a subset of what
-        -Wformat-nonliteral warns about, but in future warnings may be
-        added to -Wformat-security that are not included in
-        -Wformat-nonliteral.)
-
-Signed-off-by: Nikola Pajkovsky <npajkovs@redhat.com>
----
- Makefile       | 2 +-
- src/ipfilter.c | 2 +-
- src/othptab.c  | 4 ++--
- 3 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index 46e5632e3287..958b0fbeec0f 100644
---- a/Makefile
-+++ b/Makefile
-@@ -18,7 +18,7 @@ VERSION-FILE: FORCE
- 	@$(SHELL_PATH) ./GEN-VERSION-FILE
- -include VERSION-FILE
- 
--CFLAGS = -g -O2 -Wall -W -std=gnu99
-+CFLAGS = -g -O2 -Wall -W -std=gnu99 -Werror=format-security
- LDFLAGS =
- ALL_CFLAGS = $(CPPFLAGS) $(CFLAGS)
- ALL_LDFLAGS = $(LDFLAGS)
-diff --git a/src/ipfilter.c b/src/ipfilter.c
-index eb17ec7c7615..8c76e4c801c2 100644
---- a/src/ipfilter.c
-+++ b/src/ipfilter.c
-@@ -146,7 +146,7 @@ void gethostparams(struct hostparams *data, char *init_saddr, char *init_smask,
- 				snprintf(msgstr, 60,
- 					 "Invalid protocol input at or near token \"%s\"",
- 					 bptr);
--				tui_error(ANYKEY_MSG, msgstr);
-+				tui_error(ANYKEY_MSG, "%s", msgstr);
- 				doagain = 1;
- 			} else
- 				doagain = 0;
-diff --git a/src/othptab.c b/src/othptab.c
-index 5c09241fca99..e23f39e5df45 100644
---- a/src/othptab.c
-+++ b/src/othptab.c
-@@ -407,7 +407,7 @@ void printothpentry(struct othptable *table, struct othptabent *entry,
- 				break;
- 			}
- 
--			sprintf(scratchpad, rarp_mac_addr);
-+			sprintf(scratchpad, "%s", rarp_mac_addr);
- 			strcat(msgstring, scratchpad);
- 			wattrset(table->othpwin, ARPATTR);
- 			break;
-@@ -482,7 +482,7 @@ void printothpentry(struct othptable *table, struct othptabent *entry,
- 		wattrset(table->othpwin, UNKNIPATTR);
- 		protptr = getprotobynumber(entry->protocol);
- 		if (protptr != NULL) {
--			sprintf(protname, protptr->p_aliases[0]);
-+			sprintf(protname, "%s", protptr->p_aliases[0]);
- 		} else {
- 			sprintf(protname, "IP protocol");
- 			unknown = 1;
--- 
-1.8.3.2
-

0003-fix-segfault-in-adding-interface.patch

@@ -1,63 +0,0 @@
-From 690663d07f29789c1ba2260e59c4f71b8721dea6 Mon Sep 17 00:00:00 2001
-From: Vitezslav Samel <vitezslav@samel.cz>
-Date: Thu, 17 Apr 2014 14:24:23 +0200
-Subject: [PATCH 001/111] bugfix: positionptr(): properly allocate newly
- created interfaces
-
-When creating new entry in interface list (for interface created when
-ifstats() already running) we must allocate/init the rate too.
-
-Fix this bug by creating new function alloc_iflist_entry() and use it
-where appropriate.
-
-Signed-off-by: Vitezslav Samel <vitezslav@samel.cz>
-Signed-off-by: Nikola Pajkovsky <n.pajkovsky@gmail.com>
----
- src/ifstats.c | 16 ++++++++++++----
- 1 file changed, 12 insertions(+), 4 deletions(-)
-
-diff --git a/src/ifstats.c b/src/ifstats.c
-index 2eb51b6..2a5bba4 100644
---- a/src/ifstats.c
-+++ b/src/ifstats.c
-@@ -126,6 +126,15 @@ static int ifinlist(struct iflist *list, char *ifname)
- 	return result;
- }
- 
-+static struct iflist *alloc_iflist_entry(void)
-+{
-+	struct iflist *tmp = xmallocz(sizeof(struct iflist));
-+
-+	rate_alloc(&tmp->rate, 5);
-+
-+	return tmp;
-+}
-+
- /*
-  * Initialize the list of interfaces.  This linked list is used in the
-  * selection boxes as well as in the general interface statistics screen.
-@@ -171,10 +180,9 @@ static void initiflist(struct iflist **list)
- 		 * At this point, the interface is now sure to be up and running.
- 		 */
- 
--		struct iflist *itmp = xmallocz(sizeof(struct iflist));
--		strcpy(itmp->ifname, ifname);
-+		struct iflist *itmp = alloc_iflist_entry();
- 		itmp->ifindex = ifindex;
--		rate_alloc(&itmp->rate, 5);
-+		strcpy(itmp->ifname, ifname);
- 
- 		/* make the linked list sorted by ifindex */
- 		struct iflist *cur = *list, *last = NULL;
-@@ -211,7 +219,7 @@ static struct iflist *positionptr(struct iflist *iflist, const int ifindex)
- 	}
- 	/* no interface was found, try to create new one */
- 	if (ptmp == NULL) {
--		struct iflist *itmp = xmallocz(sizeof(struct iflist));
-+		struct iflist *itmp = alloc_iflist_entry();
- 		itmp->ifindex = ifindex;
- 		itmp->index = last->index + 1;
- 		int r = dev_get_ifname(ifindex, itmp->ifname);
--- 
-2.5.5
-

backport-CVE-2024-52949.patch

@@ -0,0 +1,217 @@
+From 2b623e991115358a57275af8a53feb5ae707b3ae Mon Sep 17 00:00:00 2001
+From: Vitezslav Samel <vitezslav@samel.cz>
+Date: Thu, 21 Nov 2024 08:43:57 +0100
+Subject: [PATCH] interface names: limit length to IFNAMSIZ
+
+This fixes CVE-2024-52949 (stack based buffer overflow)
+when copying user supplied interface name without any
+check.
+
+Problem was reported by Massimiliano Ferraresi and Massimiliano Brolli
+from TIM Red team (https://www.gruppotim.it/it/footer/red-team.html)
+
+Reported-by: Massimiliano Ferraresi, Massimiliano Brolli
+Signed-off-by: Vitezslav Samel <vitezslav@samel.cz>
+---
+ src/ifaces.c           | 16 ++++++++--------
+ src/ifstats.c          |  6 +++---
+ src/iptraf-ng-compat.h |  1 +
+ src/iptraf.c           |  9 +++++++++
+ src/othptab.c          |  2 +-
+ src/promisc.c          |  2 +-
+ src/tcptable.c         |  4 ++--
+ src/wrapper.c          |  8 ++++++++
+ 8 files changed, 33 insertions(+), 15 deletions(-)
+
+diff --git a/src/ifaces.c b/src/ifaces.c
+index aeb1614..4c5a545 100644
+--- a/src/ifaces.c
++++ b/src/ifaces.c
+@@ -67,7 +67,7 @@ int dev_up(char *iface)
+ 
+ 	fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
+ 
+-	strcpy(ifr.ifr_name, iface);
++	ifname_copy(ifr.ifr_name, iface);
+ 	ir = ioctl(fd, SIOCGIFFLAGS, &ifr);
+ 
+ 	close(fd);
+@@ -90,7 +90,7 @@ int dev_get_ifindex(const char *iface)
+ 		return fd;
+ 
+ 	struct ifreq ifr;
+-	strcpy(ifr.ifr_name, iface);
++	ifname_copy(ifr.ifr_name, iface);
+ 	int ir = ioctl(fd, SIOCGIFINDEX, &ifr);
+ 
+ 	/* need to preserve errno across call to close() */
+@@ -114,7 +114,7 @@ int dev_get_mtu(const char *iface)
+ 		return fd;
+ 
+ 	struct ifreq ifr;
+-	strcpy(ifr.ifr_name, iface);
++	ifname_copy(ifr.ifr_name, iface);
+ 	int ir = ioctl(fd, SIOCGIFMTU, &ifr);
+ 
+ 	/* need to preserve errno across call to close() */
+@@ -138,7 +138,7 @@ int dev_get_flags(const char *iface)
+ 		return fd;
+ 
+ 	struct ifreq ifr;
+-	strcpy(ifr.ifr_name, iface);
++	ifname_copy(ifr.ifr_name, iface);
+ 	int ir = ioctl(fd, SIOCGIFFLAGS, &ifr);
+ 
+ 	/* need to preserve errno across call to close() */
+@@ -162,7 +162,7 @@ int dev_set_flags(const char *iface, int flags)
+ 		return fd;
+ 
+ 	struct ifreq ifr;
+-	strcpy(ifr.ifr_name, iface);
++	ifname_copy(ifr.ifr_name, iface);
+ 	int ir = ioctl(fd, SIOCGIFFLAGS, &ifr);
+ 	if (ir == -1)
+ 		goto err;
+@@ -190,7 +190,7 @@ int dev_clear_flags(const char *iface, int flags)
+ 		return fd;
+ 
+ 	struct ifreq ifr;
+-	strcpy(ifr.ifr_name, iface);
++	ifname_copy(ifr.ifr_name, iface);
+ 	int ir = ioctl(fd, SIOCGIFFLAGS, &ifr);
+ 	if (ir == -1)
+ 		goto err;
+@@ -233,7 +233,7 @@ int dev_get_ifname(int ifindex, char *ifname)
+ 		return ir;
+ 	}
+ 
+-	strncpy(ifname, ifr.ifr_name, IFNAMSIZ);
++	ifname_copy(ifname, ifr.ifr_name);
+ 	return ir;
+ }
+ 
+@@ -256,7 +256,7 @@ int dev_bind_ifname(int fd, const char * const ifname)
+ 		int ir;
+ 		struct ifreq ifr;
+ 
+-		strcpy(ifr.ifr_name, ifname);
++		ifname_copy(ifr.ifr_name, ifname);
+ 		ir = ioctl(fd, SIOCGIFINDEX, &ifr);
+ 		if (ir)
+ 			return ir;
+diff --git a/src/ifstats.c b/src/ifstats.c
+index 00a2a3f..1b687b6 100644
+--- a/src/ifstats.c
++++ b/src/ifstats.c
+@@ -194,7 +194,7 @@ static void initiflist(struct iflist **list)
+ 
+ 		struct iflist *itmp = alloc_iflist_entry();
+ 		itmp->ifindex = ifindex;
+-		strcpy(itmp->ifname, ifname);
++		ifname_copy(itmp->ifname, ifname);
+ 
+ 		/* make the linked list sorted by ifindex */
+ 		struct iflist *cur = *list, *last = NULL;
+@@ -714,9 +714,9 @@ void selectiface(char *ifname, int withall, int *aborted)
+ 	if (!(*aborted) && (list != NULL)) {
+ 		ptmp = (struct iflist *) scrolllist.textptr->nodeptr;
+ 		if ((withall) && (ptmp->prev_entry == NULL))	/* All Interfaces */
+-			strcpy(ifname, "");
++			ifname_copy(ifname, "");
+ 		else
+-			strcpy(ifname, ptmp->ifname);
++			ifname_copy(ifname, ptmp->ifname);
+ 	}
+ 
+ 	tx_destroy_list(&scrolllist);
+diff --git a/src/iptraf-ng-compat.h b/src/iptraf-ng-compat.h
+index 5aec185..845f18b 100644
+--- a/src/iptraf-ng-compat.h
++++ b/src/iptraf-ng-compat.h
+@@ -112,6 +112,7 @@ extern void *xmallocz(size_t size);
+ extern char *xstrdup(const char *s);
+ extern int strtoul_ui(char const *s, int base, unsigned int *result);
+ extern int strtol_i(char const *s, int base, int *result);
++extern void ifname_copy(char *dst, const char *src);
+ 
+ extern void die(const char *err, ...) __noreturn __printf(1,2);
+ extern void die_errno(const char *fmt, ...) __noreturn __printf(1,2);
+diff --git a/src/iptraf.c b/src/iptraf.c
+index 95f8e53..e5dcb64 100644
+--- a/src/iptraf.c
++++ b/src/iptraf.c
+@@ -388,6 +388,15 @@ int main(int argc, char **argv)
+ 	if (__builtin_popcount(command) > 1)
+ 		die("only one of -i|-d|-s|-z|-l|-g options must be used");
+ 
++	/* sanity check of passed arguments */
++	if ((i_opt && strlen(i_opt) >= IFNAMSIZ) ||
++	    (d_opt && strlen(d_opt) >= IFNAMSIZ) ||
++	    (s_opt && strlen(s_opt) >= IFNAMSIZ) ||
++	    (z_opt && strlen(z_opt) >= IFNAMSIZ) ||
++	    (l_opt && strlen(l_opt) >= IFNAMSIZ)) {
++		die("interface name is too long");
++	}
++
+ 	strcpy(current_logfile, "");
+ 
+ 	if (f_opt) {
+diff --git a/src/othptab.c b/src/othptab.c
+index d1d9658..80f3dc8 100644
+--- a/src/othptab.c
++++ b/src/othptab.c
+@@ -271,7 +271,7 @@ struct othptabent *add_othp_entry(struct othptable *table, struct pkt_hdr *pkt,
+ 	}
+ 
+ 	new_entry->protocol = protocol;
+-	strcpy(new_entry->iface, ifname);
++	ifname_copy(new_entry->iface, ifname);
+ 
+ 	new_entry->pkt_length = pkt->pkt_len;
+ 
+diff --git a/src/promisc.c b/src/promisc.c
+index d94e8bb..4737962 100644
+--- a/src/promisc.c
++++ b/src/promisc.c
+@@ -70,7 +70,7 @@ static void promisc_enable_dev(struct list_head *promisc, int sock, const char *
+ 	struct promisc_list *new = xmallocz(sizeof(*new));
+ 
+ 	new->ifindex = ifindex;
+-	strcpy(new->ifname, dev);
++	ifname_copy(new->ifname, dev);
+ 	list_add_tail(&new->list, promisc);
+ }
+ 
+diff --git a/src/tcptable.c b/src/tcptable.c
+index 159d628..2c4efc1 100644
+--- a/src/tcptable.c
++++ b/src/tcptable.c
+@@ -365,8 +365,8 @@ struct tcptableent *addentry(struct tcptable *table,
+ 	 * Store interface name
+ 	 */
+ 
+-	strcpy(new_entry->ifname, ifname);
+-	strcpy(new_entry->oth_connection->ifname, ifname);
++	ifname_copy(new_entry->ifname, ifname);
++	ifname_copy(new_entry->oth_connection->ifname, ifname);
+ 
+ 	/*
+ 	 * Zero out MAC address fields
+diff --git a/src/wrapper.c b/src/wrapper.c
+index 2eb3b59..1d2dc6f 100644
+--- a/src/wrapper.c
++++ b/src/wrapper.c
+@@ -78,3 +78,11 @@ int strtol_i(char const *s, int base, int *result)
+ 	*result = ul;
+ 	return 0;
+ }
++
++/* it's up to the caller to ensure there is room for */
++/* at least IFNAMSIZ bytes in dst */
++void ifname_copy(char *dst, const char *src)
++{
++	strncpy(dst, src, IFNAMSIZ - 1);
++	dst[IFNAMSIZ - 1] = '\0';
++}
+-- 
+2.33.0

iptraf-ng.spec

@@ -1,16 +1,14 @@
 Name:           iptraf-ng
 Summary:        A console-based network monitoring utility
-Version:        1.1.4
-Release:        21
+Version:        1.2.0
+Release:        2
 License:        GPLv2+
 URL:            https://github.com/%{name}/%{name}/
 Source0:        https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz
 Source1:        %{name}-logrotate.conf
 Source2:        %{name}-tmpfiles.conf
 
-Patch0:         0001-BUGFIX-fix-Floating-point-exception-in-tcplog_flowra.patch
-Patch1:         0002-Makefile-add-Werror-format-security.patch
-Patch2:         0003-fix-segfault-in-adding-interface.patch
+Patch1:         backport-CVE-2024-52949.patch
 
 BuildRequires:  gcc ncurses-devel
 Obsoletes:      iptraf < 3.1
@@ -51,7 +49,7 @@ CFLAGS="-g -O2 -Wall -W -std=gnu99 -Werror=format-security %{optflags}" \
 # Delete files that are not in HTML or PNG format in Documentation.
 find Documentation -type f ! -name "*.html" \
     -type f ! -name "*.png" \
-    | grep -v '/stylesheet' \
+    -type f ! -name "." \
     | xargs rm -f
 
 install -D -m 0644 -p %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
@@ -70,12 +68,21 @@ install -d -m 0755 %{buildroot}/run/%{name}/
 
 %files help
 %defattr(-,root,root)
-%doc Documentation FAQ CHANGES README* RELEASE-NOTES
+%doc Documentation FAQ CHANGES README*
 %{_mandir}/man8/*.8.gz
 
 %changelog
-* Tue Dec 24 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.1.4-22
-- Fixes an issue where gif images were deleted by mistake
+* Fri Nov 29 2024 yanglu <yanglu72@h-partners.com> - 1.2.0-2
+- Type:CVE
+- CVE:CVE-2024-52949
+- SUG:NA
+- DESC:fix CVE-2024-52949
+
+* Wed Aug 19 2020 yuboyun <yuboyun@huawei.com> - 1.2.0-1
+- Type:update
+- Id:NA
+- SUG:NA
+- DESC:update to 1.2.0
 
 * Fri Aug 30 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.1.4-21
 - Package init