1From a7831a16c3e0e1463d5eb08a58af152cb75ca976 Mon Sep 17 00:00:00 2001 2From: Yi Zhao <yi.zhao@windriver.com> 3Date: Mon, 15 Apr 2019 06:05:58 +0000 4Subject: [PATCH] Fix CVE-2019-7282 and CVE-2019-7283 5 6Description: Fix CVE-2018-20685 and CVE-2019-6111 7Bug-Debian: https://bugs.debian.org/920486 8Origin: https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2#diff-9f340c228413d5a9a9206ea2ed2bc624R1114 9 10Upstream-Status: Backport [Debian] 11[https://sources.debian.org/src/netkit-rsh/0.17-20/debian/patches/fix-CVE-2018-20685-and-CVE-2019-6111.patch] 12 13CVE: CVE-2019-7282 CVE-2019-7283 14 15Signed-off-by: Yi Zhao <yi.zhao@windriver.com> 16--- 17 rcp/rcp.c | 5 +++++ 18 1 file changed, 5 insertions(+) 19 20diff --git a/rcp/rcp.c b/rcp/rcp.c 21index ca61c18..77d8ff8 100644 22--- a/rcp/rcp.c 23+++ b/rcp/rcp.c 24@@ -740,6 +740,11 @@ sink(int argc, char *argv[]) 25 size = size * 10 + (*cp++ - '0'); 26 if (*cp++ != ' ') 27 SCREWUP("size not delimited"); 28+ if (*cp == '\0' || strchr(cp, '/') != NULL || 29+ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) { 30+ error("error: unexpected filename: %s", cp); 31+ exit(1); 32+ } 33 if (targisdir) { 34 static char *namebuf; 35 static int cursize; 36