gnu/packages/patches/qemu-CVE-2020-7211.patch

   1 Fix CVE-2020-7211:
   2
   3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7211
   4
   5 Patch copied from upstream dependency repository:
   6
   7 https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4
   8
   9 From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001
  10 From: Prasad J Pandit <pjp@fedoraproject.org>
  11 Date: Mon, 13 Jan 2020 17:44:31 +0530
  12 Subject: [PATCH] slirp: tftp: restrict relative path access
  13
  14 tftp restricts relative or directory path access on Linux systems.
  15 Apply same restrictions on Windows systems too. It helps to avoid
  16 directory traversal issue.
  17
  18 Fixes: https://bugs.launchpad.net/qemu/+bug/1812451
  19 Reported-by: Peter Maydell <peter.maydell@linaro.org>
  20 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
  21 Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
  22 Message-Id: <20200113121431.156708-1-ppandit@redhat.com>
  23 ---
  24  src/tftp.c | 9 +++++++--
  25  1 file changed, 7 insertions(+), 2 deletions(-)
  26
  27 diff --git a/src/tftp.c b/src/tftp.c
  28 index 093c2e0..e52e71b 100644
  29 --- a/slirp/src/tftp.c
  30 +++ b/slirp/src/tftp.c
  31 @@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
  32      k += 6; /* skipping octet */
  33
  34      /* do sanity checks on the filename */
  35 -    if (!strncmp(req_fname, "../", 3) ||
  36 -        req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) {
  37 +    if (
  38 +#ifdef G_OS_WIN32
  39 +        strstr(req_fname, "..\\") ||
  40 +        req_fname[strlen(req_fname) - 1] == '\\' ||
  41 +#endif
  42 +        strstr(req_fname, "../") ||
  43 +        req_fname[strlen(req_fname) - 1] == '/') {
  44          tftp_send_error(spt, 2, "Access violation", tp);
  45          return;
  46      }
  47 --
  48 2.24.1
  49