Fix CVE-2018-16867: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16867 https://seclists.org/oss-sec/2018/q4/202 Patch copied from upstream source repository: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=c52d46e041b42bb1ee6f692e00a0abe37a9659f6 From c52d46e041b42bb1ee6f692e00a0abe37a9659f6 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Mon, 3 Dec 2018 11:10:45 +0100 Subject: [PATCH] usb-mtp: outlaw slashes in filenames MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Slash is unix directory separator, so they are not allowed in filenames. Note this also stops the classic escape via "../". Fixes: CVE-2018-16867 Reported-by: Michael Hanselmann Signed-off-by: Gerd Hoffmann Reviewed-by: Philippe Mathieu-Daudé Message-id: 20181203101045.27976-3-kraxel@redhat.com --- hw/usb/dev-mtp.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 0f6a9702ef1..100b7171f4e 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1719,6 +1719,12 @@ static void usb_mtp_write_metadata(MTPState *s) filename = utf16_to_str(dataset->length, dataset->filename); + if (strchr(filename, '/')) { + usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans, + 0, 0, 0, 0); + return; + } + o = usb_mtp_object_lookup_name(p, filename, dataset->length); if (o != NULL) { next_handle = o->handle; -- 2.19.2