Merge pull request #8847 from rycee/fix/vsftpd-CVE-2015-1419
vsftpd: fix CVE-2015-1419
This commit is contained in:
commit
291b006285
2 changed files with 106 additions and 0 deletions
104
pkgs/servers/ftp/vsftpd/CVE-2015-1419.patch
Normal file
104
pkgs/servers/ftp/vsftpd/CVE-2015-1419.patch
Normal file
|
@ -0,0 +1,104 @@
|
|||
Description: CVE-2015-1419: config option deny_file is not handled correctly
|
||||
Author: Marcus Meissner <meissner@suse.com>
|
||||
Origin: https://bugzilla.novell.com/show_bug.cgi?id=CVE-2015-1419
|
||||
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776922
|
||||
Last-Update: 2015-02-24
|
||||
---
|
||||
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
|
||||
Index: trunk/ls.c
|
||||
===================================================================
|
||||
--- trunk.orig/ls.c
|
||||
+++ trunk/ls.c
|
||||
@@ -7,6 +7,7 @@
|
||||
* Would you believe, code to handle directory listing.
|
||||
*/
|
||||
|
||||
+#include <stdlib.h>
|
||||
#include "ls.h"
|
||||
#include "access.h"
|
||||
#include "defs.h"
|
||||
@@ -243,11 +244,42 @@ vsf_filename_passes_filter(const struct
|
||||
struct mystr temp_str = INIT_MYSTR;
|
||||
struct mystr brace_list_str = INIT_MYSTR;
|
||||
struct mystr new_filter_str = INIT_MYSTR;
|
||||
+ struct mystr normalize_filename_str = INIT_MYSTR;
|
||||
+ const char *normname;
|
||||
+ const char *path;
|
||||
int ret = 0;
|
||||
char last_token = 0;
|
||||
int must_match_at_current_pos = 1;
|
||||
+
|
||||
str_copy(&filter_remain_str, p_filter_str);
|
||||
- str_copy(&name_remain_str, p_filename_str);
|
||||
+
|
||||
+ /* normalize filepath */
|
||||
+ path = str_strdup(p_filename_str);
|
||||
+ normname = realpath(path, NULL);
|
||||
+ if (normname == NULL)
|
||||
+ goto out;
|
||||
+ str_alloc_text(&normalize_filename_str, normname);
|
||||
+
|
||||
+ if (!str_isempty (&filter_remain_str) && !str_isempty(&normalize_filename_str)) {
|
||||
+ if (str_get_char_at(p_filter_str, 0) == '/') {
|
||||
+ if (str_get_char_at(&normalize_filename_str, 0) != '/') {
|
||||
+ str_getcwd (&name_remain_str);
|
||||
+
|
||||
+ if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */
|
||||
+ str_append_char (&name_remain_str, '/');
|
||||
+
|
||||
+ str_append_str (&name_remain_str, &normalize_filename_str);
|
||||
+ }
|
||||
+ else
|
||||
+ str_copy (&name_remain_str, &normalize_filename_str);
|
||||
+ } else {
|
||||
+ if (str_get_char_at(p_filter_str, 0) != '{')
|
||||
+ str_basename (&name_remain_str, &normalize_filename_str);
|
||||
+ else
|
||||
+ str_copy (&name_remain_str, &normalize_filename_str);
|
||||
+ }
|
||||
+ } else
|
||||
+ str_copy(&name_remain_str, &normalize_filename_str);
|
||||
|
||||
while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX)
|
||||
{
|
||||
@@ -379,6 +411,9 @@ vsf_filename_passes_filter(const struct
|
||||
ret = 0;
|
||||
}
|
||||
out:
|
||||
+ free((char*) normname);
|
||||
+ free((char*) path);
|
||||
+ str_free(&normalize_filename_str);
|
||||
str_free(&filter_remain_str);
|
||||
str_free(&name_remain_str);
|
||||
str_free(&temp_str);
|
||||
Index: trunk/str.c
|
||||
===================================================================
|
||||
--- trunk.orig/str.c
|
||||
+++ trunk/str.c
|
||||
@@ -723,3 +723,14 @@ str_replace_unprintable(struct mystr* p_
|
||||
}
|
||||
}
|
||||
|
||||
+void
|
||||
+str_basename (struct mystr* d_str, const struct mystr* path)
|
||||
+{
|
||||
+ static struct mystr tmp;
|
||||
+
|
||||
+ str_copy (&tmp, path);
|
||||
+ str_split_char_reverse(&tmp, d_str, '/');
|
||||
+
|
||||
+ if (str_isempty(d_str))
|
||||
+ str_copy (d_str, path);
|
||||
+}
|
||||
Index: trunk/str.h
|
||||
===================================================================
|
||||
--- trunk.orig/str.h
|
||||
+++ trunk/str.h
|
||||
@@ -101,6 +101,7 @@ void str_replace_unprintable(struct myst
|
||||
int str_atoi(const struct mystr* p_str);
|
||||
filesize_t str_a_to_filesize_t(const struct mystr* p_str);
|
||||
unsigned int str_octal_to_uint(const struct mystr* p_str);
|
||||
+void str_basename (struct mystr* d_str, const struct mystr* path);
|
||||
|
||||
/* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string
|
||||
* buffer, starting at character position 'p_pos'. The extracted line will
|
|
@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
|
|||
sha256 = "0mjy345wszskz1vnk83360c1y37arwgap3gwz8hy13sjqpig0imy";
|
||||
};
|
||||
|
||||
patches = [ ./CVE-2015-1419.patch ];
|
||||
|
||||
preConfigure = stdenv.lib.optionalString sslEnable ''
|
||||
echo "Will enable SSL"
|
||||
sed -i "/VSF_BUILD_SSL/s/^#undef/#define/" builddefs.h
|
||||
|
|
Loading…
Reference in a new issue