summary refs log tree commit diff
path: root/gnu/packages/patches/qemu-CVE-2020-7211.patch
blob: 2885dda411fb8ee8dc54b9efb4d9b3699325618c (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
Fix CVE-2020-7211:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7211

Patch copied from upstream dependency repository:

https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4

From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Mon, 13 Jan 2020 17:44:31 +0530
Subject: [PATCH] slirp: tftp: restrict relative path access

tftp restricts relative or directory path access on Linux systems.
Apply same restrictions on Windows systems too. It helps to avoid
directory traversal issue.

Fixes: https://bugs.launchpad.net/qemu/+bug/1812451
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200113121431.156708-1-ppandit@redhat.com>
---
 src/tftp.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/tftp.c b/src/tftp.c
index 093c2e0..e52e71b 100644
--- a/slirp/src/tftp.c
+++ b/slirp/src/tftp.c
@@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
     k += 6; /* skipping octet */
 
     /* do sanity checks on the filename */
-    if (!strncmp(req_fname, "../", 3) ||
-        req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) {
+    if (
+#ifdef G_OS_WIN32
+        strstr(req_fname, "..\\") ||
+        req_fname[strlen(req_fname) - 1] == '\\' ||
+#endif
+        strstr(req_fname, "../") ||
+        req_fname[strlen(req_fname) - 1] == '/') {
         tftp_send_error(spt, 2, "Access violation", tp);
         return;
     }
-- 
2.24.1