mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-11-13 18:36:14 -05:00
f528df99f1
* gnu/packages/patches/qemu-CVE-2020-7039.patch, gnu/packages/patches/qemu-CVE-2020-7211.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/virtualization.scm (qemu)[source]: Use them.
49 lines
1.6 KiB
Diff
49 lines
1.6 KiB
Diff
Fix CVE-2020-7211:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7211
|
|
|
|
Patch copied from upstream dependency repository:
|
|
|
|
https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4
|
|
|
|
From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001
|
|
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Date: Mon, 13 Jan 2020 17:44:31 +0530
|
|
Subject: [PATCH] slirp: tftp: restrict relative path access
|
|
|
|
tftp restricts relative or directory path access on Linux systems.
|
|
Apply same restrictions on Windows systems too. It helps to avoid
|
|
directory traversal issue.
|
|
|
|
Fixes: https://bugs.launchpad.net/qemu/+bug/1812451
|
|
Reported-by: Peter Maydell <peter.maydell@linaro.org>
|
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
Message-Id: <20200113121431.156708-1-ppandit@redhat.com>
|
|
---
|
|
src/tftp.c | 9 +++++++--
|
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/tftp.c b/src/tftp.c
|
|
index 093c2e0..e52e71b 100644
|
|
--- a/slirp/src/tftp.c
|
|
+++ b/slirp/src/tftp.c
|
|
@@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
|
|
k += 6; /* skipping octet */
|
|
|
|
/* do sanity checks on the filename */
|
|
- if (!strncmp(req_fname, "../", 3) ||
|
|
- req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) {
|
|
+ if (
|
|
+#ifdef G_OS_WIN32
|
|
+ strstr(req_fname, "..\\") ||
|
|
+ req_fname[strlen(req_fname) - 1] == '\\' ||
|
|
+#endif
|
|
+ strstr(req_fname, "../") ||
|
|
+ req_fname[strlen(req_fname) - 1] == '/') {
|
|
tftp_send_error(spt, 2, "Access violation", tp);
|
|
return;
|
|
}
|
|
--
|
|
2.24.1
|
|
|