xref: /OK3568_Linux_fs/buildroot/package/vsftpd/0002-fix-CVE-2015-1419.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593SmuzhiyunFix CVE-2015-1419 - config option deny_file is not handled correctly.
2*4882a593SmuzhiyunFrom SUSE: https://bugzilla.suse.com/show_bug.cgi?id=915522
3*4882a593Smuzhiyun
4*4882a593SmuzhiyunSigned-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
5*4882a593Smuzhiyun
6*4882a593SmuzhiyunIndex: vsftpd-3.0.2/ls.c
7*4882a593Smuzhiyun===================================================================
8*4882a593Smuzhiyun--- vsftpd-3.0.2.orig/ls.c
9*4882a593Smuzhiyun+++ vsftpd-3.0.2/ls.c
10*4882a593Smuzhiyun@@ -7,6 +7,7 @@
11*4882a593Smuzhiyun  * Would you believe, code to handle directory listing.
12*4882a593Smuzhiyun  */
13*4882a593Smuzhiyun
14*4882a593Smuzhiyun+#include <stdlib.h>
15*4882a593Smuzhiyun #include "ls.h"
16*4882a593Smuzhiyun #include "access.h"
17*4882a593Smuzhiyun #include "defs.h"
18*4882a593Smuzhiyun@@ -243,11 +244,42 @@ vsf_filename_passes_filter(const struct
19*4882a593Smuzhiyun   struct mystr temp_str = INIT_MYSTR;
20*4882a593Smuzhiyun   struct mystr brace_list_str = INIT_MYSTR;
21*4882a593Smuzhiyun   struct mystr new_filter_str = INIT_MYSTR;
22*4882a593Smuzhiyun+  struct mystr normalize_filename_str = INIT_MYSTR;
23*4882a593Smuzhiyun+  const char *normname;
24*4882a593Smuzhiyun+  const char *path;
25*4882a593Smuzhiyun   int ret = 0;
26*4882a593Smuzhiyun   char last_token = 0;
27*4882a593Smuzhiyun   int must_match_at_current_pos = 1;
28*4882a593Smuzhiyun+
29*4882a593Smuzhiyun   str_copy(&filter_remain_str, p_filter_str);
30*4882a593Smuzhiyun-  str_copy(&name_remain_str, p_filename_str);
31*4882a593Smuzhiyun+
32*4882a593Smuzhiyun+  /* normalize filepath */
33*4882a593Smuzhiyun+  path = str_strdup(p_filename_str);
34*4882a593Smuzhiyun+  normname = realpath(path, NULL);
35*4882a593Smuzhiyun+  if (normname == NULL)
36*4882a593Smuzhiyun+     goto out;
37*4882a593Smuzhiyun+  str_alloc_text(&normalize_filename_str, normname);
38*4882a593Smuzhiyun+
39*4882a593Smuzhiyun+  if (!str_isempty (&filter_remain_str) && !str_isempty(&normalize_filename_str)) {
40*4882a593Smuzhiyun+    if (str_get_char_at(p_filter_str, 0) == '/') {
41*4882a593Smuzhiyun+      if (str_get_char_at(&normalize_filename_str, 0) != '/') {
42*4882a593Smuzhiyun+        str_getcwd (&name_remain_str);
43*4882a593Smuzhiyun+
44*4882a593Smuzhiyun+        if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */
45*4882a593Smuzhiyun+          str_append_char (&name_remain_str, '/');
46*4882a593Smuzhiyun+
47*4882a593Smuzhiyun+        str_append_str (&name_remain_str, &normalize_filename_str);
48*4882a593Smuzhiyun+      }
49*4882a593Smuzhiyun+      else
50*4882a593Smuzhiyun+       str_copy (&name_remain_str, &normalize_filename_str);
51*4882a593Smuzhiyun+    } else {
52*4882a593Smuzhiyun+      if (str_get_char_at(p_filter_str, 0) != '{')
53*4882a593Smuzhiyun+        str_basename (&name_remain_str, &normalize_filename_str);
54*4882a593Smuzhiyun+      else
55*4882a593Smuzhiyun+        str_copy (&name_remain_str, &normalize_filename_str);
56*4882a593Smuzhiyun+    }
57*4882a593Smuzhiyun+  } else
58*4882a593Smuzhiyun+    str_copy(&name_remain_str, &normalize_filename_str);
59*4882a593Smuzhiyun
60*4882a593Smuzhiyun   while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX)
61*4882a593Smuzhiyun   {
62*4882a593Smuzhiyun@@ -360,6 +392,9 @@ vsf_filename_passes_filter(const struct
63*4882a593Smuzhiyun     ret = 0;
64*4882a593Smuzhiyun   }
65*4882a593Smuzhiyun out:
66*4882a593Smuzhiyun+  free(normname);
67*4882a593Smuzhiyun+  free(path);
68*4882a593Smuzhiyun+  str_free(&normalize_filename_str);
69*4882a593Smuzhiyun   str_free(&filter_remain_str);
70*4882a593Smuzhiyun   str_free(&name_remain_str);
71*4882a593Smuzhiyun   str_free(&temp_str);
72*4882a593SmuzhiyunIndex: vsftpd-3.0.2/str.c
73*4882a593Smuzhiyun===================================================================
74*4882a593Smuzhiyun--- vsftpd-3.0.2.orig/str.c
75*4882a593Smuzhiyun+++ vsftpd-3.0.2/str.c
76*4882a593Smuzhiyun@@ -711,3 +711,14 @@ str_replace_unprintable(struct mystr* p_
77*4882a593Smuzhiyun   }
78*4882a593Smuzhiyun }
79*4882a593Smuzhiyun
80*4882a593Smuzhiyun+void
81*4882a593Smuzhiyun+str_basename (struct mystr* d_str, const struct mystr* path)
82*4882a593Smuzhiyun+{
83*4882a593Smuzhiyun+  static struct mystr tmp;
84*4882a593Smuzhiyun+
85*4882a593Smuzhiyun+  str_copy (&tmp, path);
86*4882a593Smuzhiyun+  str_split_char_reverse(&tmp, d_str, '/');
87*4882a593Smuzhiyun+
88*4882a593Smuzhiyun+  if (str_isempty(d_str))
89*4882a593Smuzhiyun+   str_copy (d_str, path);
90*4882a593Smuzhiyun+}
91*4882a593SmuzhiyunIndex: vsftpd-3.0.2/str.h
92*4882a593Smuzhiyun===================================================================
93*4882a593Smuzhiyun--- vsftpd-3.0.2.orig/str.h
94*4882a593Smuzhiyun+++ vsftpd-3.0.2/str.h
95*4882a593Smuzhiyun@@ -100,6 +100,7 @@ void str_replace_unprintable(struct myst
96*4882a593Smuzhiyun int str_atoi(const struct mystr* p_str);
97*4882a593Smuzhiyun filesize_t str_a_to_filesize_t(const struct mystr* p_str);
98*4882a593Smuzhiyun unsigned int str_octal_to_uint(const struct mystr* p_str);
99*4882a593Smuzhiyun+void str_basename (struct mystr* d_str, const struct mystr* path);
100*4882a593Smuzhiyun
101*4882a593Smuzhiyun /* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string
102*4882a593Smuzhiyun  * buffer, starting at character position 'p_pos'. The extracted line will
103