File project.diff of Package net-tools
--- net-tools-CVE-2025-46836.patch.orig
+++ net-tools-CVE-2025-46836.patch
@@ -9,23 +9,19 @@ Coordinated as GHSA-pfwf-h6m3-63wf
lib/interface.c | 63 ++++++++++++++++++++++++++++++-------------------
1 file changed, 39 insertions(+), 24 deletions(-)
-Index: net-tools-2.10/lib/interface.c
-===================================================================
---- net-tools-2.10.orig/lib/interface.c
-+++ net-tools-2.10/lib/interface.c
-@@ -209,33 +209,46 @@ out:
+diff --git a/lib/interface.c b/lib/interface.c
+index 71d4163..a054f12 100644
+--- a/lib/interface.c
++++ b/lib/interface.c
+@@ -211,32 +211,47 @@ out:
}
- static const char *get_name(char **namep, const char *p)
+ static const char *get_name(char *name, const char *p)
+/* Safe version — guarantees at most IFNAMSIZ‑1 bytes are copied
+ and the destination buffer is always NUL‑terminated. */
{
- while (isspace(*p))
- p++;
-+ /* Skip leading white‑space. */
-+ while (isspace((unsigned char)*p))
-+ ++p;
- char *name = *namep = p;
- while (*p) {
- if (isspace(*p))
- break;
@@ -49,6 +45,11 @@ Index: net-tools-2.10/lib/interface.c
- *name++ = *p++;
+ char *dst = name; /* current write ptr */
+ const char *end = name + IFNAMSIZ - 1; /* last byte we may write */
++
++ /* Skip leading white‑space. */
++ while (isspace((unsigned char)*p))
++ ++p;
++
+ /* Copy until white‑space, end of string, or buffer full. */
+ while (*p && !isspace((unsigned char)*p) && dst < end) {
+ if (*p == ':') { /* possible alias veth0:123: */
@@ -84,3 +85,6 @@ Index: net-tools-2.10/lib/interface.c
return p;
}
+--
+2.48.1
+
--- net-tools.changes.orig
+++ net-tools.changes
@@ -1,4 +1,43 @@
-------------------------------------------------------------------
+Mon Sep 8 15:38:28 UTC 2025 - Stanislav Brabec <sbrabec@suse.com>
+
+- Drop 0002-Do-not-warn-about-interface-socket-not-binded.patch. It
+ worked around a net-tools-1.60 specific problem, that does not
+ happen in net-tools-2.10. It is more harmful than useful, as it
+ can hide real problems. (bsc#430864#c15,
+ https://github.com/ecki/net-tools/issues/32#issuecomment-3265471116).
+
+-------------------------------------------------------------------
+Sat Sep 6 15:35:13 UTC 2025 - Stanislav Brabec <sbrabec@suse.com>
+
+- Drop 0004-By-default-do-not-fopen-anything-in-netrom_gr.patch. It
+ was net-tools-1.60 specific leak fix and breaks netrom in
+ net-tools-2.10 (bnc#544339#c2).
+
+-------------------------------------------------------------------
+Thu Aug 28 18:46:35 UTC 2025 - Stanislav Brabec <sbrabec@suse.com>
+
+- Drop old Fedora patch 0006-Allow-interface-stacking.patch. It
+ provided a fix for CVE-2025-46836 (bsc#142461), but it was fixes
+ by the upstream in 2025 in a different way. Revert interferring
+ net-tools-CVE-2025-46836.patch back to the upstream version.
+- Fix stack buffer overflow in parse_hex (bsc#1248687,
+ GHSA-h667-qrp8-gj58, net-tools-parse_hex-stack-overflow.patch).
+- Fix stack-based buffer overflow in proc_gen_fmt (bsc#1248687,
+ GHSA-w7jq-cmw2-cq59,
+ net-tools-proc_gen_fmt-buffer-overflow.patch).
+- Avoid unsafe memcpy in ifconfig (bsc#1248687,
+ net-tools-ifconfig-avoid-unsafe-memcpy.patch).
+- Prevent overflow in ax25 and netrom (bsc#1248687,
+ net-tools-ax25+netrom-overflow-1.patch,
+ net-tools-ax25+netrom-overflow-2.patch).
+- Keep possibility to enter long interface names, even if they are
+ not accepted by the kernel, because it was always possible up to
+ CVE-2025-46836 fix. But issue a warning about an interface name
+ concatenation (bsc#1248410,
+ net-tools-ifconfig-long-name-warning.patch).
+
+-------------------------------------------------------------------
Mon Aug 11 12:42:17 UTC 2025 - Stanislav Brabec <sbrabec@suse.com>
- Provide more readable error for interface name size checking
@@ -14,7 +53,7 @@ Mon Aug 4 06:27:05 UTC 2025 - Stanislav
Thu Jul 10 03:44:15 UTC 2025 - Stanislav Brabec <sbrabec@suse.com>
- Perform bound checks when parsing interface labels in
- /proc/net/dev (bsc#1243581, CVE-2025-46836,
+ /proc/net/dev (bsc#1243581, CVE-2025-46836, GHSA-pfwf-h6m3-63wf,
net-tools-CVE-2025-46836.patch,
net-tools-CVE-2025-46836-regression.patch).
--- net-tools.spec.orig
+++ net-tools.spec
@@ -29,9 +29,6 @@ Source: https://sourceforge.net/
Patch0: net-tools-configure.patch
# Git formatted patches described in each patch
Patch1: 0001-Add-ether-wake-binary.patch
-Patch2: 0002-Do-not-warn-about-interface-socket-not-binded.patch
-Patch4: 0004-By-default-do-not-fopen-anything-in-netrom_gr.patch
-Patch6: 0006-Allow-interface-stacking.patch
Patch7: 0007-Introduce-T-notrim-option-in-netstat.patch
# PATCH-FIX-SECURITY net-tools-CVE-2025-46836.patch bsc1243581 sbrabec@suse.com -- Perform bound checks when parsing interface labels in /proc/net/dev.
Patch8: net-tools-CVE-2025-46836.patch
@@ -39,6 +36,18 @@ Patch8: net-tools-CVE-2025-46836
Patch9: net-tools-CVE-2025-46836-regression.patch
# PATCH-FIX-UPSTREAM net-tools-CVE-2025-46836-error-reporting.patch bsc1243581 sbrabec@suse.com -- Provide more readable error for interface name size checking.
Patch10: net-tools-CVE-2025-46836-error-reporting.patch
+# PATCH-FIX-SECURITY net-tools-parse_hex-stack-overflow.patch bsc1248410 sbrabec@suse.com -- Fix stack buffer overflow in parse_hex.
+Patch11: net-tools-parse_hex-stack-overflow.patch
+# PATCH-FIX-SECURITY net-tools-proc_gen_fmt-buffer-overflow.patch bsc1248410 sbrabec@suse.com -- Fix stack-based buffer overflow in proc_gen_fmt.
+Patch12: net-tools-proc_gen_fmt-buffer-overflow.patch
+# PATCH-FIX-SECURITY net-tools-ifconfig-avoid-unsafe-memcpy.patch bsc1248410 sbrabec@suse.com -- Avoid unsafe memcpy in ifconfig.
+Patch13: net-tools-ifconfig-avoid-unsafe-memcpy.patch
+# PATCH-FIX-SECURITY net-tools-ax25+netrom-overflow-1.patch bsc1248410 sbrabec@suse.com -- Prevent overflow in ax25 and netrom.
+Patch14: net-tools-ax25+netrom-overflow-1.patch
+# PATCH-FIX-SECURITY net-tools-ax25+netrom-overflow-2.patch bsc1248410 sbrabec@suse.com -- Prevent overflow in ax25 and netrom.
+Patch15: net-tools-ax25+netrom-overflow-2.patch
+# PATCH-FIX-UPSTREAM net-tools-ifconfig-long-name-warning.patch bsc1248410 sbrabec@suse.com -- Allow to enter long interface names again.
+Patch16: net-tools-ifconfig-long-name-warning.patch
BuildRequires: help2man
Requires: hostname
Recommends: traceroute >= 2.0.0
