[MEDIUM] Patch net-tools for CVE-2025-46836 (#13832)

Author: aninda-al

SPECS/net-tools/CVE-2025-46836.patch

@@ -0,0 +1,89 @@
+From c4e1e6b0319f35b0ceafa8b9502fd71798a7bcf7 Mon Sep 17 00:00:00 2001
+From: Aninda <[email protected]>
+Date: Mon, 19 May 2025 11:04:33 -0400
+Subject: [PATCH] Address CVE-2025-46836
+Upstream Patch Reference: https://github.com/ecki/net-tools/commit/7a8f42fb20013a1493d8cae1c43436f85e656f2d
+
+---
+ lib/interface.c | 63 ++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 39 insertions(+), 24 deletions(-)
+
+diff --git a/lib/interface.c b/lib/interface.c
+index 42cddda..2d6b6a3 100644
+--- a/lib/interface.c
++++ b/lib/interface.c
+@@ -211,32 +211,47 @@ out:
+ }
+ 
+ static const char *get_name(char *name, const char *p)
++/* Safe version — guarantees at most IFNAMSIZ‑1 bytes are copied
++   and the destination buffer is always NUL‑terminated.             */
+ {
+-    while (isspace(*p))
+-	p++;
+-    while (*p) {
+-	if (isspace(*p))
+-	    break;
+-	if (*p == ':') {	/* could be an alias */
+-		const char *dot = p++;
+- 		while (*p && isdigit(*p)) p++;
+-		if (*p == ':') {
+-			/* Yes it is, backup and copy it. */
+-			p = dot;
+-			*name++ = *p++;
+-			while (*p && isdigit(*p)) {
+-				*name++ = *p++;
+-			}
+-		} else {
+-			/* No, it isn't */
+-			p = dot;
+-	    }
+-	    p++;
+-	    break;
+-	}
+-	*name++ = *p++;
++    char       *dst = name;                 /* current write ptr          */
++    const char *end = name + IFNAMSIZ - 1;  /* last byte we may write     */
++
++    /* Skip leading white‑space. */
++    while (isspace((unsigned char)*p))
++        ++p;
++
++    /* Copy until white‑space, end of string, or buffer full. */
++    while (*p && !isspace((unsigned char)*p) && dst < end) {
++        if (*p == ':') {                    /* possible alias veth0:123:  */
++            const char *dot = p;            /* remember the colon         */
++            ++p;
++            while (*p && isdigit((unsigned char)*p))
++                ++p;
++
++            if (*p == ':') {                /* confirmed alias            */
++                p = dot;                    /* rewind and copy it all     */
++
++                /* copy the colon */
++                if (dst < end)
++                    *dst++ = *p++;
++
++                /* copy the digits */
++                while (*p && isdigit((unsigned char)*p) && dst < end)
++                    *dst++ = *p++;
++
++                if (*p == ':')              /* consume trailing colon     */
++                    ++p;
++            } else {              /* if so treat as normal */
++                p = dot;
++            }
++            break;                          /* interface name ends here   */
++        }
++
++        *dst++ = *p++;                      /* ordinary character copy    */
+     }
+-    *name++ = '\0';
++
++    *dst = '\0';                            /* always NUL‑terminate       */
+     return p;
+ }
+ 
+-- 
+2.34.1
+

SPECS/net-tools/net-tools.spec

@@ -1,13 +1,14 @@
 Summary:        Networking Tools
 Name:           net-tools
 Version:        2.10
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/Base
 URL:            https://sourceforge.net/projects/net-tools/
 Source0:        https://downloads.sourceforge.net/project/%{name}/%{name}-%{version}.tar.xz
+Patch0:         CVE-2025-46836.patch
 Conflicts:      toybox
 Obsoletes:      inetutils
 Provides:       hostname = %{version}-%{release}
@@ -47,6 +48,9 @@ make BASEDIR=%{buildroot} install
 %{_mandir}/man8/*
 
 %changelog
+* Mon May 20 2025 Aninda Pradhan <[email protected]> - 2.10-4
+- Fixes CVE-2025-46836 with an upstream patch
+
 * Wed Sep 20 2023 Jon Slobodzian <[email protected]> - 2.10-3
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)