X-Git-Url: https://git.hcoop.net/hcoop/debian/exim4.git/blobdiff_plain/798bcb8a094a3a7399d04d760c882f4f25922f41..0c0c20aac64e1ef4037c144efec9a064add0d055:/debian/patches/84_15-Security-Safeguard-against-relative-names-for-msglog.patch diff --git a/debian/patches/84_15-Security-Safeguard-against-relative-names-for-msglog.patch b/debian/patches/84_15-Security-Safeguard-against-relative-names-for-msglog.patch new file mode 100644 index 0000000..7b2607a --- /dev/null +++ b/debian/patches/84_15-Security-Safeguard-against-relative-names-for-msglog.patch @@ -0,0 +1,41 @@ +From 0d5d8fc918c4b999a2d5b025d94e25e43680377d Mon Sep 17 00:00:00 2001 +From: Qualys Security Advisory +Date: Sun, 21 Feb 2021 22:00:31 -0800 +Subject: [PATCH 15/29] Security: Safeguard against relative names for msglog + files. + +Based on Heiko Schlittermann's commit 4f0ac4ad. This fixes: + +3/ In src/deliver.c: + + 333 static int + 334 open_msglog_file(uschar *filename, int mode, uschar **error) + 335 { + 336 if (Ustrstr(filename, US"/../")) + 337 log_write(0, LOG_MAIN|LOG_PANIC, + 338 "Attempt to open msglog file path with upward-traversal: '%s'\n", filename); + +Should this be LOG_PANIC_DIE instead of LOG_PANIC? Right now it will log +the /../ attempt but will open the file anyway. +--- + src/deliver.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/deliver.c b/src/deliver.c +index d4ed8af08..279672ce0 100644 +--- a/src/deliver.c ++++ b/src/deliver.c +@@ -331,6 +331,10 @@ open_msglog_file(uschar *filename, int mode, uschar **error) + { + int fd, i; + ++if (Ustrstr(filename, US"/../")) ++ log_write(0, LOG_MAIN|LOG_PANIC_DIE, ++ "Attempt to open msglog file path with upward-traversal: '%s'", filename); ++ + for (i = 2; i > 0; i--) + { + fd = Uopen(filename, +-- +2.30.2 +