Browse Source

[packages] vsftpd: CVE-2015-1419 Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.

lilik-openwrt-22.03
Cezary Jackiewicz 10 years ago
parent
commit
62fff58380
2 changed files with 99 additions and 1 deletions
  1. +1
    -1
      net/vsftpd/Makefile
  2. +98
    -0
      net/vsftpd/patches/007-CVE-2015-1419.patch

+ 1
- 1
net/vsftpd/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=vsftpd
PKG_VERSION:=3.0.2
PKG_RELEASE:=5
PKG_RELEASE:=6
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://security.appspot.com/downloads/


+ 98
- 0
net/vsftpd/patches/007-CVE-2015-1419.patch View File

@ -0,0 +1,98 @@
Description: CVE-2015-1419: config option deny_file is not handled correctly
Author: Marcus Meissner <meissner@suse.com>
Origin: https://bugzilla.novell.com/show_bug.cgi?id=CVE-2015-1419
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776922
Last-Update: 2015-02-24
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/ls.c
+++ b/ls.c
@@ -7,6 +7,7 @@
* Would you believe, code to handle directory listing.
*/
+#include <stdlib.h>
#include "ls.h"
#include "access.h"
#include "defs.h"
@@ -243,11 +244,42 @@ vsf_filename_passes_filter(const struct
struct mystr temp_str = INIT_MYSTR;
struct mystr brace_list_str = INIT_MYSTR;
struct mystr new_filter_str = INIT_MYSTR;
+ struct mystr normalize_filename_str = INIT_MYSTR;
+ const char *normname;
+ const char *path;
int ret = 0;
char last_token = 0;
int must_match_at_current_pos = 1;
+
str_copy(&filter_remain_str, p_filter_str);
- str_copy(&name_remain_str, p_filename_str);
+
+ /* normalize filepath */
+ path = str_strdup(p_filename_str);
+ normname = realpath(path, NULL);
+ if (normname == NULL)
+ goto out;
+ str_alloc_text(&normalize_filename_str, normname);
+
+ if (!str_isempty (&filter_remain_str) && !str_isempty(&normalize_filename_str)) {
+ if (str_get_char_at(p_filter_str, 0) == '/') {
+ if (str_get_char_at(&normalize_filename_str, 0) != '/') {
+ str_getcwd (&name_remain_str);
+
+ if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */
+ str_append_char (&name_remain_str, '/');
+
+ str_append_str (&name_remain_str, &normalize_filename_str);
+ }
+ else
+ str_copy (&name_remain_str, &normalize_filename_str);
+ } else {
+ if (str_get_char_at(p_filter_str, 0) != '{')
+ str_basename (&name_remain_str, &normalize_filename_str);
+ else
+ str_copy (&name_remain_str, &normalize_filename_str);
+ }
+ } else
+ str_copy(&name_remain_str, &normalize_filename_str);
while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX)
{
@@ -360,6 +392,9 @@ vsf_filename_passes_filter(const struct
ret = 0;
}
out:
+ free(normname);
+ free(path);
+ str_free(&normalize_filename_str);
str_free(&filter_remain_str);
str_free(&name_remain_str);
str_free(&temp_str);
--- a/str.c
+++ b/str.c
@@ -711,3 +711,14 @@ str_replace_unprintable(struct mystr* p_
}
}
+void
+str_basename (struct mystr* d_str, const struct mystr* path)
+{
+ static struct mystr tmp;
+
+ str_copy (&tmp, path);
+ str_split_char_reverse(&tmp, d_str, '/');
+
+ if (str_isempty(d_str))
+ str_copy (d_str, path);
+}
--- a/str.h
+++ b/str.h
@@ -100,6 +100,7 @@ void str_replace_unprintable(struct myst
int str_atoi(const struct mystr* p_str);
filesize_t str_a_to_filesize_t(const struct mystr* p_str);
unsigned int str_octal_to_uint(const struct mystr* p_str);
+void str_basename (struct mystr* d_str, const struct mystr* path);
/* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string
* buffer, starting at character position 'p_pos'. The extracted line will

Loading…
Cancel
Save