guix/gnu/packages/patches/qemu-CVE-2018-16867.patch

Fix CVE-2018-16867:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16867
https://seclists.org/oss-sec/2018/q4/202

Patch copied from upstream source repository:

https://git.qemu.org/?p=qemu.git;a=commitdiff;h=c52d46e041b42bb1ee6f692e00a0abe37a9659f6

From c52d46e041b42bb1ee6f692e00a0abe37a9659f6 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 3 Dec 2018 11:10:45 +0100
Subject: [PATCH] usb-mtp: outlaw slashes in filenames
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Slash is unix directory separator, so they are not allowed in filenames.
Note this also stops the classic escape via "../".

Fixes: CVE-2018-16867
Reported-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181203101045.27976-3-kraxel@redhat.com
---
 hw/usb/dev-mtp.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 0f6a9702ef1..100b7171f4e 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -1719,6 +1719,12 @@ static void usb_mtp_write_metadata(MTPState *s)
 
     filename = utf16_to_str(dataset->length, dataset->filename);
 
+    if (strchr(filename, '/')) {
+        usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans,
+                             0, 0, 0, 0);
+        return;
+    }
+
     o = usb_mtp_object_lookup_name(p, filename, dataset->length);
     if (o != NULL) {
         next_handle = o->handle;
-- 
2.19.2
gnu: QEMU: Fix CVE-2018-16847 and CVE-2018-16867. * gnu/packages/patches/qemu-CVE-2018-16847.patch, gnu/packages/patches/qemu-CVE-2018-16867.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/virtualization.scm (qemu)[source]: Use them. 2018-12-06 15:12:51 -05:00			`Fix CVE-2018-16867:`

			`https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16867`
			`https://seclists.org/oss-sec/2018/q4/202`

			`Patch copied from upstream source repository:`

			`https://git.qemu.org/?p=qemu.git;a=commitdiff;h=c52d46e041b42bb1ee6f692e00a0abe37a9659f6`

			`From c52d46e041b42bb1ee6f692e00a0abe37a9659f6 Mon Sep 17 00:00:00 2001`
			`From: Gerd Hoffmann <kraxel@redhat.com>`
			`Date: Mon, 3 Dec 2018 11:10:45 +0100`
			`Subject: [PATCH] usb-mtp: outlaw slashes in filenames`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`Slash is unix directory separator, so they are not allowed in filenames.`
			`Note this also stops the classic escape via "../".`

			`Fixes: CVE-2018-16867`
			`Reported-by: Michael Hanselmann <public@hansmi.ch>`
			`Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>`
			`Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>`
			`Message-id: 20181203101045.27976-3-kraxel@redhat.com`
			`---`
			`hw/usb/dev-mtp.c \| 6 ++++++`
			`1 file changed, 6 insertions(+)`

			`diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c`
			`index 0f6a9702ef1..100b7171f4e 100644`
			`--- a/hw/usb/dev-mtp.c`
			`+++ b/hw/usb/dev-mtp.c`
			`@@ -1719,6 +1719,12 @@ static void usb_mtp_write_metadata(MTPState *s)`

			`filename = utf16_to_str(dataset->length, dataset->filename);`

			`+ if (strchr(filename, '/')) {`
			`+ usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans,`
			`+ 0, 0, 0, 0);`
			`+ return;`
			`+ }`
			`+`
			`o = usb_mtp_object_lookup_name(p, filename, dataset->length);`
			`if (o != NULL) {`
			`next_handle = o->handle;`
			`--`
			`2.19.2`