pyrox.dev
vsftpd: fix CVE-2015-1419
Adds patch from Debian.
+104
pkgs/servers/ftp/vsftpd/CVE-2015-1419.patch
+104
pkgs/servers/ftp/vsftpd/CVE-2015-1419.patch
···
1
+
Description: CVE-2015-1419: config option deny_file is not handled correctly
2
+
Author: Marcus Meissner <meissner@suse.com>
3
+
Origin: https://bugzilla.novell.com/show_bug.cgi?id=CVE-2015-1419
4
+
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776922
5
+
Last-Update: 2015-02-24
6
+
---
7
+
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
8
+
Index: trunk/ls.c
9
+
===================================================================
10
+
--- trunk.orig/ls.c
11
+
+++ trunk/ls.c
12
+
@@ -7,6 +7,7 @@
13
+
* Would you believe, code to handle directory listing.
14
+
*/
15
+
16
+
+#include <stdlib.h>
17
+
#include "ls.h"
18
+
#include "access.h"
19
+
#include "defs.h"
20
+
@@ -243,11 +244,42 @@ vsf_filename_passes_filter(const struct
21
+
struct mystr temp_str = INIT_MYSTR;
22
+
struct mystr brace_list_str = INIT_MYSTR;
23
+
struct mystr new_filter_str = INIT_MYSTR;
24
+
+ struct mystr normalize_filename_str = INIT_MYSTR;
25
+
+ const char *normname;
26
+
+ const char *path;
27
+
int ret = 0;
28
+
char last_token = 0;
29
+
int must_match_at_current_pos = 1;
30
+
+
31
+
str_copy(&filter_remain_str, p_filter_str);
32
+
- str_copy(&name_remain_str, p_filename_str);
33
+
+
34
+
+ /* normalize filepath */
35
+
+ path = str_strdup(p_filename_str);
36
+
+ normname = realpath(path, NULL);
37
+
+ if (normname == NULL)
38
+
+ goto out;
39
+
+ str_alloc_text(&normalize_filename_str, normname);
40
+
+
41
+
+ if (!str_isempty (&filter_remain_str) && !str_isempty(&normalize_filename_str)) {
42
+
+ if (str_get_char_at(p_filter_str, 0) == '/') {
43
+
+ if (str_get_char_at(&normalize_filename_str, 0) != '/') {
44
+
+ str_getcwd (&name_remain_str);
45
+
+
46
+
+ if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */
47
+
+ str_append_char (&name_remain_str, '/');
48
+
+
49
+
+ str_append_str (&name_remain_str, &normalize_filename_str);
50
+
+ }
51
+
+ else
52
+
+ str_copy (&name_remain_str, &normalize_filename_str);
53
+
+ } else {
54
+
+ if (str_get_char_at(p_filter_str, 0) != '{')
55
+
+ str_basename (&name_remain_str, &normalize_filename_str);
56
+
+ else
57
+
+ str_copy (&name_remain_str, &normalize_filename_str);
58
+
+ }
59
+
+ } else
60
+
+ str_copy(&name_remain_str, &normalize_filename_str);
61
+
62
+
while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX)
63
+
{
64
+
@@ -379,6 +411,9 @@ vsf_filename_passes_filter(const struct
65
+
ret = 0;
66
+
}
67
+
out:
68
+
+ free((char*) normname);
69
+
+ free((char*) path);
70
+
+ str_free(&normalize_filename_str);
71
+
str_free(&filter_remain_str);
72
+
str_free(&name_remain_str);
73
+
str_free(&temp_str);
74
+
Index: trunk/str.c
75
+
===================================================================
76
+
--- trunk.orig/str.c
77
+
+++ trunk/str.c
78
+
@@ -723,3 +723,14 @@ str_replace_unprintable(struct mystr* p_
79
+
}
80
+
}
81
+
82
+
+void
83
+
+str_basename (struct mystr* d_str, const struct mystr* path)
84
+
+{
85
+
+ static struct mystr tmp;
86
+
+
87
+
+ str_copy (&tmp, path);
88
+
+ str_split_char_reverse(&tmp, d_str, '/');
89
+
+
90
+
+ if (str_isempty(d_str))
91
+
+ str_copy (d_str, path);
92
+
+}
93
+
Index: trunk/str.h
94
+
===================================================================
95
+
--- trunk.orig/str.h
96
+
+++ trunk/str.h
97
+
@@ -101,6 +101,7 @@ void str_replace_unprintable(struct myst
98
+
int str_atoi(const struct mystr* p_str);
99
+
filesize_t str_a_to_filesize_t(const struct mystr* p_str);
100
+
unsigned int str_octal_to_uint(const struct mystr* p_str);
101
+
+void str_basename (struct mystr* d_str, const struct mystr* path);
102
+
103
+
/* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string
104
+
* buffer, starting at character position 'p_pos'. The extracted line will
+2
pkgs/servers/ftp/vsftpd/default.nix
+2
pkgs/servers/ftp/vsftpd/default.nix