rpms / slirp4netns

Clone
Source Code
GIT

Blame SOURCES/slirp4netns-CVE-2020-7211.patch

c7-extras c8-beta-stream-1.0 c8-beta-stream-2.0 c8-beta-stream-3.0 c8-beta-stream-4.0 c8-beta-stream-rhel8 c8-stream-1.0 c8-stream-2.0 c8-stream-3.0 c8-stream-4.0 c8-stream-rhel8 c8s-stream-1.0 c8s-stream-2.0 c8s-stream-3.0 c8s-stream-4.0 c8s-stream-rhel8 c9 c9-beta c9-beta-stream-latest
  1.   1fbe6a95f8ffc9ab956e5c48e2c7ef51b4afe095
  2.   SOURCES
  3.   slirp4netns-CVE-2020-7211.patch
Blob History Raw
8cd64c 
From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001
8cd64c 
From: Prasad J Pandit <pjp@fedoraproject.org>
8cd64c 
Date: Mon, 13 Jan 2020 17:44:31 +0530
8cd64c 
Subject: [PATCH] slirp: tftp: restrict relative path access
8cd64c
8cd64c 
tftp restricts relative or directory path access on Linux systems.
8cd64c 
Apply same restrictions on Windows systems too. It helps to avoid
8cd64c 
directory traversal issue.
8cd64c
8cd64c 
Fixes: https://bugs.launchpad.net/qemu/+bug/1812451
8cd64c 
Reported-by: Peter Maydell <peter.maydell@linaro.org>
8cd64c 
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
8cd64c 
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
8cd64c 
Message-Id: <20200113121431.156708-1-ppandit@redhat.com>
8cd64c 
---
8cd64c 
 src/tftp.c | 9 +++++++--
8cd64c 
 1 file changed, 7 insertions(+), 2 deletions(-)
8cd64c
1fbe6a 
diff -up ./slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tftp.c.CVE-2020-7211 ./slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tftp.c
1fbe6a 
--- slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tftp.c.CVE-2020-7211	2020-01-17 08:02:07.630600572 +0100
1fbe6a 
+++ slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tftp.c	2020-01-17 08:02:07.632600595 +0100
1fbe6a 
@@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp
1fbe6a 
     k += 6; /* skipping octet */
8cd64c
1fbe6a 
     /* do sanity checks on the filename */
1fbe6a 
-    if (!strncmp(req_fname, "../", 3) ||
1fbe6a 
-        req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) {
1fbe6a 
+    if (
8cd64c 
+#ifdef G_OS_WIN32
1fbe6a 
+        strstr(req_fname, "..\\") ||
1fbe6a 
+        req_fname[strlen(req_fname) - 1] == '\\' ||
8cd64c 
+#endif
1fbe6a 
+        strstr(req_fname, "../") ||
1fbe6a 
+        req_fname[strlen(req_fname) - 1] == '/') {
1fbe6a 
         tftp_send_error(spt, 2, "Access violation", tp);
1fbe6a 
         return;
1fbe6a 
     }

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation