vsftpd: add security fix for CVE-2015-1419 (93e1f24e) · Commits · Dom Sekotill / buildroot

package/vsftpd/0003-fix-CVE-2015-1419.patch

0 → 100644

+102 −0

Original line number	Diff line number	Diff line
		Fix CVE-2015-1419 - config option deny_file is not handled correctly.
		From SUSE: https://bugzilla.suse.com/show_bug.cgi?id=915522

		Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>

		Index: vsftpd-3.0.2/ls.c
		===================================================================
		--- vsftpd-3.0.2.orig/ls.c
		+++ vsftpd-3.0.2/ls.c
		@@ -7,6 +7,7 @@
		* Would you believe, code to handle directory listing.
		*/

		+#include <stdlib.h>
		#include "ls.h"
		#include "access.h"
		#include "defs.h"
		@@ -243,11 +244,42 @@ vsf_filename_passes_filter(const struct
		struct mystr temp_str = INIT_MYSTR;
		struct mystr brace_list_str = INIT_MYSTR;
		struct mystr new_filter_str = INIT_MYSTR;
		+ struct mystr normalize_filename_str = INIT_MYSTR;
		+ const char *normname;
		+ const char *path;
		int ret = 0;
		char last_token = 0;
		int must_match_at_current_pos = 1;
		+
		str_copy(&filter_remain_str, p_filter_str);
		- str_copy(&name_remain_str, p_filename_str);
		+
		+ /* normalize filepath */
		+ path = str_strdup(p_filename_str);
		+ normname = realpath(path, NULL);
		+ if (normname == NULL)
		+ goto out;
		+ str_alloc_text(&normalize_filename_str, normname);
		+
		+ if (!str_isempty (&filter_remain_str) && !str_isempty(&normalize_filename_str)) {
		+ if (str_get_char_at(p_filter_str, 0) == '/') {
		+ if (str_get_char_at(&normalize_filename_str, 0) != '/') {
		+ str_getcwd (&name_remain_str);
		+
		+ if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */
		+ str_append_char (&name_remain_str, '/');
		+
		+ str_append_str (&name_remain_str, &normalize_filename_str);
		+ }
		+ else
		+ str_copy (&name_remain_str, &normalize_filename_str);
		+ } else {
		+ if (str_get_char_at(p_filter_str, 0) != '{')
		+ str_basename (&name_remain_str, &normalize_filename_str);
		+ else
		+ str_copy (&name_remain_str, &normalize_filename_str);
		+ }
		+ } else
		+ str_copy(&name_remain_str, &normalize_filename_str);

		while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX)
		{
		@@ -360,6 +392,9 @@ vsf_filename_passes_filter(const struct
		ret = 0;
		}
		out:
		+ free(normname);
		+ free(path);
		+ str_free(&normalize_filename_str);
		str_free(&filter_remain_str);
		str_free(&name_remain_str);
		str_free(&temp_str);
		Index: vsftpd-3.0.2/str.c
		===================================================================
		--- vsftpd-3.0.2.orig/str.c
		+++ vsftpd-3.0.2/str.c
		@@ -770,3 +770,14 @@ str_replace_unprintable(struct mystr* p_
		}
		}

		+void
		+str_basename (struct mystr* d_str, const struct mystr* path)
		+{
		+ static struct mystr tmp;
		+
		+ str_copy (&tmp, path);
		+ str_split_char_reverse(&tmp, d_str, '/');
		+
		+ if (str_isempty(d_str))
		+ str_copy (d_str, path);
		+}
		Index: vsftpd-3.0.2/str.h
		===================================================================
		--- vsftpd-3.0.2.orig/str.h
		+++ vsftpd-3.0.2/str.h
		@@ -101,6 +101,7 @@ void str_replace_unprintable(struct myst
		int str_atoi(const struct mystr* p_str);
		filesize_t str_a_to_filesize_t(const struct mystr* p_str);
		unsigned int str_octal_to_uint(const struct mystr* p_str);
		+void str_basename (struct mystr* d_str, const struct mystr* path);

		/* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string
		* buffer, starting at character position 'p_pos'. The extracted line will

package/vsftpd/vsftpd.hash

0 → 100644

+2 −0

Original line number	Diff line number	Diff line
		# Locally calculated after checking pgp signature
		sha256 be46f0e2c5528fe021fafc8dab1ecfea0c1f183063a06977f8537fcd0b195e56 vsftpd-3.0.2.tar.gz