pkgs/by-name/vs/vsftpd/CVE-2015-1419.patch

   1 Description: CVE-2015-1419: config option deny_file is not handled correctly
   2 Author: Marcus Meissner <meissner@suse.com>
   3 Origin: https://bugzilla.novell.com/show_bug.cgi?id=CVE-2015-1419
   4 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776922
   5 Last-Update: 2015-02-24
   6 ---
   7 This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
   8 Index: trunk/ls.c
   9 ===================================================================
  10 --- trunk.orig/ls.c
  11 +++ trunk/ls.c
  12 @@ -7,6 +7,7 @@
  13   * Would you believe, code to handle directory listing.
  14   */
  15
  16 +#include <stdlib.h>
  17  #include "ls.h"
  18  #include "access.h"
  19  #include "defs.h"
  20 @@ -243,11 +244,42 @@ vsf_filename_passes_filter(const struct
  21    struct mystr temp_str = INIT_MYSTR;
  22    struct mystr brace_list_str = INIT_MYSTR;
  23    struct mystr new_filter_str = INIT_MYSTR;
  24 +  struct mystr normalize_filename_str = INIT_MYSTR;
  25 +  const char *normname;
  26 +  const char *path;
  27    int ret = 0;
  28    char last_token = 0;
  29    int must_match_at_current_pos = 1;
  30 +
  31    str_copy(&filter_remain_str, p_filter_str);
  32 -  str_copy(&name_remain_str, p_filename_str);
  33 +
  34 +  /* normalize filepath */
  35 +  path = str_strdup(p_filename_str);
  36 +  normname = realpath(path, NULL);
  37 +  if (normname == NULL)
  38 +     goto out;
  39 +  str_alloc_text(&normalize_filename_str, normname);
  40 +
  41 +  if (!str_isempty (&filter_remain_str) && !str_isempty(&normalize_filename_str)) {
  42 +    if (str_get_char_at(p_filter_str, 0) == '/') {
  43 +      if (str_get_char_at(&normalize_filename_str, 0) != '/') {
  44 +        str_getcwd (&name_remain_str);
  45 +
  46 +        if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */
  47 +          str_append_char (&name_remain_str, '/');
  48 +
  49 +        str_append_str (&name_remain_str, &normalize_filename_str);
  50 +      }
  51 +      else
  52 +       str_copy (&name_remain_str, &normalize_filename_str);
  53 +    } else {
  54 +      if (str_get_char_at(p_filter_str, 0) != '{')
  55 +        str_basename (&name_remain_str, &normalize_filename_str);
  56 +      else
  57 +        str_copy (&name_remain_str, &normalize_filename_str);
  58 +    }
  59 +  } else
  60 +    str_copy(&name_remain_str, &normalize_filename_str);
  61
  62    while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX)
  63    {
  64 @@ -379,6 +411,9 @@ vsf_filename_passes_filter(const struct
  65      ret = 0;
  66    }
  67  out:
  68 +  free((char*) normname);
  69 +  free((char*) path);
  70 +  str_free(&normalize_filename_str);
  71    str_free(&filter_remain_str);
  72    str_free(&name_remain_str);
  73    str_free(&temp_str);
  74 Index: trunk/str.c
  75 ===================================================================
  76 --- trunk.orig/str.c
  77 +++ trunk/str.c
  78 @@ -723,3 +723,14 @@ str_replace_unprintable(struct mystr* p_
  79    }
  80  }
  81
  82 +void
  83 +str_basename (struct mystr* d_str, const struct mystr* path)
  84 +{
  85 +  static struct mystr tmp;
  86 +
  87 +  str_copy (&tmp, path);
  88 +  str_split_char_reverse(&tmp, d_str, '/');
  89 +
  90 +  if (str_isempty(d_str))
  91 +   str_copy (d_str, path);
  92 +}
  93 Index: trunk/str.h
  94 ===================================================================
  95 --- trunk.orig/str.h
  96 +++ trunk/str.h
  97 @@ -101,6 +101,7 @@ void str_replace_unprintable(struct myst
  98  int str_atoi(const struct mystr* p_str);
  99  filesize_t str_a_to_filesize_t(const struct mystr* p_str);
 100  unsigned int str_octal_to_uint(const struct mystr* p_str);
 101 +void str_basename (struct mystr* d_str, const struct mystr* path);
 102
 103  /* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string
 104   * buffer, starting at character position 'p_pos'. The extracted line will