diff options
| author | Leo Famulari <leo@famulari.name> | 2020-01-20 11:34:01 -0500 |
|---|---|---|
| committer | Leo Famulari <leo@famulari.name> | 2020-01-24 21:09:28 -0500 |
| commit | f528df99f1e99fa32f7cc6d291262192234ec758 (patch) | |
| tree | 90d646e58c5648957c01cf9513ed55e3ae636442 /gnu/packages/patches/qemu-CVE-2020-7211.patch | |
| parent | 0ef7e44439c6e1b87bea5cdc39f1fa07e62edba4 (diff) | |
gnu: QEMU: Fix CVE-2020-{7039,7211}.
* gnu/packages/patches/qemu-CVE-2020-7039.patch,
gnu/packages/patches/qemu-CVE-2020-7211.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/virtualization.scm (qemu)[source]: Use them.
Diffstat (limited to 'gnu/packages/patches/qemu-CVE-2020-7211.patch')
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2020-7211.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2020-7211.patch b/gnu/packages/patches/qemu-CVE-2020-7211.patch new file mode 100644 index 0000000000..2885dda411 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2020-7211.patch @@ -0,0 +1,49 @@ +Fix CVE-2020-7211: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7211 + +Patch copied from upstream dependency repository: + +https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 + +From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Mon, 13 Jan 2020 17:44:31 +0530 +Subject: [PATCH] slirp: tftp: restrict relative path access + +tftp restricts relative or directory path access on Linux systems. +Apply same restrictions on Windows systems too. It helps to avoid +directory traversal issue. + +Fixes: https://bugs.launchpad.net/qemu/+bug/1812451 +Reported-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> +Message-Id: <20200113121431.156708-1-ppandit@redhat.com> +--- + src/tftp.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/tftp.c b/src/tftp.c +index 093c2e0..e52e71b 100644 +--- a/slirp/src/tftp.c ++++ b/slirp/src/tftp.c +@@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas, + k += 6; /* skipping octet */ + + /* do sanity checks on the filename */ +- if (!strncmp(req_fname, "../", 3) || +- req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) { ++ if ( ++#ifdef G_OS_WIN32 ++ strstr(req_fname, "..\\") || ++ req_fname[strlen(req_fname) - 1] == '\\' || ++#endif ++ strstr(req_fname, "../") || ++ req_fname[strlen(req_fname) - 1] == '/') { + tftp_send_error(spt, 2, "Access violation", tp); + return; + } +-- +2.24.1 + |