Patrick Williams | b48b7b4 | 2016-08-17 15:04:38 -0500 | [diff] [blame^] | 1 | Fix the CVE-2015-1419 |
| 2 | |
| 3 | Upstream-Status: Pending |
| 4 | |
| 5 | Try to fix deny_file parsing to do more what is expected. Taken |
| 6 | from fedora. CVE-2015-1419 |
| 7 | |
| 8 | ftp://195.220.108.108/linux/fedora/linux/development/rawhide/source/SRPMS/v/vsftpd-3.0.2-13.fc22.src.rpm |
| 9 | |
| 10 | Signed-off-by: Roy Li <rongqing.li@windriver.com> |
| 11 | |
| 12 | diff -up vsftpd-2.1.0/ls.c.filter vsftpd-2.1.0/ls.c |
| 13 | --- vsftpd-2.1.0/ls.c.filter 2008-02-02 02:30:41.000000000 +0100 |
| 14 | +++ vsftpd-2.1.0/ls.c 2009-01-08 19:31:15.000000000 +0100 |
| 15 | @@ -239,9 +239,31 @@ vsf_filename_passes_filter(const struct |
| 16 | int ret = 0; |
| 17 | char last_token = 0; |
| 18 | int must_match_at_current_pos = 1; |
| 19 | + |
| 20 | + |
| 21 | str_copy(&filter_remain_str, p_filter_str); |
| 22 | - str_copy(&name_remain_str, p_filename_str); |
| 23 | - |
| 24 | + |
| 25 | + if (!str_isempty (&filter_remain_str) && !str_isempty(p_filename_str)) { |
| 26 | + if (str_get_char_at(p_filter_str, 0) == '/') { |
| 27 | + if (str_get_char_at(p_filename_str, 0) != '/') { |
| 28 | + str_getcwd (&name_remain_str); |
| 29 | + |
| 30 | + if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */ |
| 31 | + str_append_char (&name_remain_str, '/'); |
| 32 | + |
| 33 | + str_append_str (&name_remain_str, p_filename_str); |
| 34 | + } |
| 35 | + else |
| 36 | + str_copy (&name_remain_str, p_filename_str); |
| 37 | + } else { |
| 38 | + if (str_get_char_at(p_filter_str, 0) != '{') |
| 39 | + str_basename (&name_remain_str, p_filename_str); |
| 40 | + else |
| 41 | + str_copy (&name_remain_str, p_filename_str); |
| 42 | + } |
| 43 | + } else |
| 44 | + str_copy(&name_remain_str, p_filename_str); |
| 45 | + |
| 46 | while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX) |
| 47 | { |
| 48 | static struct mystr s_match_needed_str; |
| 49 | diff -up vsftpd-2.1.0/str.c.filter vsftpd-2.1.0/str.c |
| 50 | --- vsftpd-2.1.0/str.c.filter 2008-12-17 06:54:16.000000000 +0100 |
| 51 | +++ vsftpd-2.1.0/str.c 2009-01-08 19:31:15.000000000 +0100 |
| 52 | @@ -680,3 +680,14 @@ str_replace_unprintable(struct mystr* p_ |
| 53 | } |
| 54 | } |
| 55 | |
| 56 | +void |
| 57 | +str_basename (struct mystr* d_str, const struct mystr* path) |
| 58 | +{ |
| 59 | + static struct mystr tmp; |
| 60 | + |
| 61 | + str_copy (&tmp, path); |
| 62 | + str_split_char_reverse(&tmp, d_str, '/'); |
| 63 | + |
| 64 | + if (str_isempty(d_str)) |
| 65 | + str_copy (d_str, path); |
| 66 | +} |
| 67 | diff -up vsftpd-2.1.0/str.h.filter vsftpd-2.1.0/str.h |
| 68 | --- vsftpd-2.1.0/str.h.filter 2008-12-17 06:53:23.000000000 +0100 |
| 69 | +++ vsftpd-2.1.0/str.h 2009-01-08 19:32:14.000000000 +0100 |
| 70 | @@ -100,6 +100,7 @@ void str_replace_unprintable(struct myst |
| 71 | int str_atoi(const struct mystr* p_str); |
| 72 | filesize_t str_a_to_filesize_t(const struct mystr* p_str); |
| 73 | unsigned int str_octal_to_uint(const struct mystr* p_str); |
| 74 | +void str_basename (struct mystr* d_str, const struct mystr* path); |
| 75 | |
| 76 | /* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string |
| 77 | * buffer, starting at character position 'p_pos'. The extracted line will |