| blob | 32481692b377c08a1c134c5ec814629895c5985c |
1 Description: Fix symlink directory traversal.
2 Do not allow symlinks that traverse the current directoru, nor absolute
3 symlinks.
4 .
5 Fixes CVE-2015-0556.
6 Author: Guillem Jover <guillem@debian.org>
7 Origin: vendor
8 Bug-Debian: https://bugs.debian.org/774434
9 Forwarded: no
10 Last-Update: 2015-03-28
12 ---
13 uxspec.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
14 1 file changed, 54 insertions(+)
16 --- a/uxspec.c
17 +++ b/uxspec.c
18 @@ -120,6 +120,58 @@ int query_uxspecial(char FAR **dest, cha
19 }
20 #endif
22 +#if TARGET==UNIX
23 +static int is_link_traversal(const char *name)
24 +{
25 + enum {
26 + STATE_NONE,
27 + STATE_DOTS,
28 + STATE_NAME,
29 + } state = STATE_NONE;
30 + int ndir = 0;
31 + int dots = 0;
32 +
33 + while(*name) {
34 + int c = *name++;
35 +
36 + if (c == '/')
37 + {
38 + if ((state == STATE_DOTS) && (dots == 2))
39 + ndir--;
40 + if (ndir < 0)
41 + return 1;
42 + if ((state == STATE_DOTS && dots == 1) && ndir == 0)
43 + return 1;
44 + if (state == STATE_NONE && ndir == 0)
45 + return 1;
46 + if ((state == STATE_DOTS) && (dots > 2))
47 + ndir++;
48 + state = STATE_NONE;
49 + dots = 0;
50 + }
51 + else if (c == '.')
52 + {
53 + if (state == STATE_NONE)
54 + state = STATE_DOTS;
55 + dots++;
56 + }
57 + else
58 + {
59 + if (state == STATE_NONE)
60 + ndir++;
61 + state = STATE_NAME;
62 + }
63 + }
64 +
65 + if ((state == STATE_DOTS) && (dots == 2))
66 + ndir--;
67 + if ((state == STATE_DOTS) && (dots > 2))
68 + ndir++;
69 +
70 + return ndir < 0;
71 +}
72 +#endif
73 +
74 /* Restores the UNIX special file data */
76 int set_uxspecial(char FAR *storage, char *name)
77 @@ -156,6 +208,8 @@ int set_uxspecial(char FAR *storage, cha
78 l=sizeof(tmp_name)-1;
79 far_memmove((char FAR *)tmp_name, dptr, l);
80 tmp_name[l]='\0';
81 + if (is_link_traversal(tmp_name))
82 + return(UXSPEC_RC_ERROR);
83 rc=(id==UXSB_HLNK)?link(tmp_name, name):symlink(tmp_name, name);
84 if(!rc)
85 return(0);