diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2024-01-03 14:30:09 +0530 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2024-01-16 07:31:14 -0500 |
commit | e4af0cd4912cb78617fc654cb393a2693bf00a3c (patch) | |
tree | c3400bd0f55fee7b18d5e211b1f23918dc40f045 | |
parent | 60569e5c89bdc65b7ae08065bae02c9b38d8ec80 (diff) | |
download | meta-openembedded-e4af0cd4912cb78617fc654cb393a2693bf00a3c.tar.gz |
proftpd: Fix CVE-2023-51713 Out-of-bounds buffer read
Upstream-Status: Backport from https://github.com/proftpd/proftpd/commit/97bbe68363ccf2de0c07f67170ec64a8b4d62592
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch | 278 | ||||
-rw-r--r-- | meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb | 1 |
2 files changed, 279 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch b/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch new file mode 100644 index 000000000..12f694807 --- /dev/null +++ b/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch | |||
@@ -0,0 +1,278 @@ | |||
1 | From 97bbe68363ccf2de0c07f67170ec64a8b4d62592 Mon Sep 17 00:00:00 2001 | ||
2 | From: TJ Saunders <tj@castaglia.org> | ||
3 | Date: Sun, 6 Aug 2023 13:16:26 -0700 | ||
4 | Subject: [PATCH] Issue #1683: Avoid an edge case when handling unexpectedly | ||
5 | formatted input text from client, caused by quote/backslash semantics, by | ||
6 | skipping those semantics. | ||
7 | |||
8 | Upstream-Status: Backport [https://github.com/proftpd/proftpd/commit/97bbe68363ccf2de0c07f67170ec64a8b4d62592] | ||
9 | CVE: CVE-2023-51713 | ||
10 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
11 | --- | ||
12 | include/str.h | 3 ++- | ||
13 | src/main.c | 35 +++++++++++++++++++++++++++++----- | ||
14 | src/str.c | 22 +++++++++++++--------- | ||
15 | tests/api/str.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++- | ||
16 | 4 files changed, 94 insertions(+), 16 deletions(-) | ||
17 | |||
18 | diff --git a/include/str.h b/include/str.h | ||
19 | index 316a32a..049a1b2 100644 | ||
20 | --- a/include/str.h | ||
21 | +++ b/include/str.h | ||
22 | @@ -1,6 +1,6 @@ | ||
23 | /* | ||
24 | * ProFTPD - FTP server daemon | ||
25 | - * Copyright (c) 2008-2017 The ProFTPD Project team | ||
26 | + * Copyright (c) 2008-2023 The ProFTPD Project team | ||
27 | * | ||
28 | * This program is free software; you can redistribute it and/or modify | ||
29 | * it under the terms of the GNU General Public License as published by | ||
30 | @@ -121,6 +121,7 @@ const char *pr_gid2str(pool *, gid_t); | ||
31 | #define PR_STR_FL_PRESERVE_COMMENTS 0x0001 | ||
32 | #define PR_STR_FL_PRESERVE_WHITESPACE 0x0002 | ||
33 | #define PR_STR_FL_IGNORE_CASE 0x0004 | ||
34 | +#define PR_STR_FL_IGNORE_QUOTES 0x0008 | ||
35 | |||
36 | char *pr_str_get_token(char **, char *); | ||
37 | char *pr_str_get_token2(char **, char *, size_t *); | ||
38 | diff --git a/src/main.c b/src/main.c | ||
39 | index 1ead27f..01b1ef8 100644 | ||
40 | --- a/src/main.c | ||
41 | +++ b/src/main.c | ||
42 | @@ -787,8 +787,24 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { | ||
43 | return NULL; | ||
44 | } | ||
45 | |||
46 | + /* By default, pr_str_get_word will handle quotes and backslashes for | ||
47 | + * escaping characters. This can produce words which are shorter, use | ||
48 | + * fewer bytes than the corresponding input buffer. | ||
49 | + * | ||
50 | + * In this particular situation, we use the length of this initial word | ||
51 | + * for determining the length of the remaining buffer bytes, assumed to | ||
52 | + * contain the FTP command arguments. If this initial word is thus | ||
53 | + * unexpectedly "shorter", due to nonconformant FTP text, it can lead | ||
54 | + * the subsequent buffer scan, looking for CRNUL sequencees, to access | ||
55 | + * unexpected memory addresses (Issue #1683). | ||
56 | + * | ||
57 | + * Thus for this particular situation, we tell the function to ignore/skip | ||
58 | + * such quote/backslash semantics, and treat them as any other character | ||
59 | + * using the IGNORE_QUOTES flag. | ||
60 | + */ | ||
61 | + | ||
62 | ptr = buf; | ||
63 | - wrd = pr_str_get_word(&ptr, str_flags); | ||
64 | + wrd = pr_str_get_word(&ptr, str_flags|PR_STR_FL_IGNORE_QUOTES); | ||
65 | if (wrd == NULL) { | ||
66 | /* Nothing there...bail out. */ | ||
67 | pr_trace_msg("ctrl", 5, "command '%s' is empty, ignoring", buf); | ||
68 | @@ -796,6 +812,11 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { | ||
69 | return NULL; | ||
70 | } | ||
71 | |||
72 | + /* Note that this first word is the FTP command. This is why we make | ||
73 | + * use of the ptr buffer, which advances through the input buffer as | ||
74 | + * we read words from the buffer. | ||
75 | + */ | ||
76 | + | ||
77 | subpool = make_sub_pool(p); | ||
78 | pr_pool_tag(subpool, "make_ftp_cmd pool"); | ||
79 | cmd = pcalloc(subpool, sizeof(cmd_rec)); | ||
80 | @@ -822,6 +843,7 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { | ||
81 | arg_len = buflen - strlen(wrd); | ||
82 | arg = pcalloc(cmd->pool, arg_len + 1); | ||
83 | |||
84 | + /* Remember that ptr here is advanced past the first word. */ | ||
85 | for (i = 0, j = 0; i < arg_len; i++) { | ||
86 | pr_signals_handle(); | ||
87 | if (i > 1 && | ||
88 | @@ -830,15 +852,13 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { | ||
89 | |||
90 | /* Strip out the NUL by simply not copying it into the new buffer. */ | ||
91 | have_crnul = TRUE; | ||
92 | - | ||
93 | + | ||
94 | } else { | ||
95 | arg[j++] = ptr[i]; | ||
96 | } | ||
97 | } | ||
98 | |||
99 | - cmd->arg = arg; | ||
100 | - | ||
101 | - if (have_crnul) { | ||
102 | + if (have_crnul == TRUE) { | ||
103 | char *dup_arg; | ||
104 | |||
105 | /* Now make a copy of the stripped argument; this is what we need to | ||
106 | @@ -848,6 +868,11 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { | ||
107 | ptr = dup_arg; | ||
108 | } | ||
109 | |||
110 | + cmd->arg = arg; | ||
111 | + | ||
112 | + /* Now we can read the remamining words, as command arguments, from the | ||
113 | + * input buffer. | ||
114 | + */ | ||
115 | while ((wrd = pr_str_get_word(&ptr, str_flags)) != NULL) { | ||
116 | pr_signals_handle(); | ||
117 | *((char **) push_array(tarr)) = pstrdup(cmd->pool, wrd); | ||
118 | diff --git a/src/str.c b/src/str.c | ||
119 | index eeed096..04188ce 100644 | ||
120 | --- a/src/str.c | ||
121 | +++ b/src/str.c | ||
122 | @@ -1,6 +1,6 @@ | ||
123 | /* | ||
124 | * ProFTPD - FTP server daemon | ||
125 | - * Copyright (c) 2008-2017 The ProFTPD Project team | ||
126 | + * Copyright (c) 2008-2023 The ProFTPD Project team | ||
127 | * | ||
128 | * This program is free software; you can redistribute it and/or modify | ||
129 | * it under the terms of the GNU General Public License as published by | ||
130 | @@ -1209,7 +1209,7 @@ int pr_str_get_nbytes(const char *str, const char *units, off_t *nbytes) { | ||
131 | |||
132 | char *pr_str_get_word(char **cp, int flags) { | ||
133 | char *res, *dst; | ||
134 | - char quote_mode = 0; | ||
135 | + int quote_mode = FALSE; | ||
136 | |||
137 | if (cp == NULL || | ||
138 | !*cp || | ||
139 | @@ -1238,24 +1238,28 @@ char *pr_str_get_word(char **cp, int flags) { | ||
140 | } | ||
141 | } | ||
142 | |||
143 | - if (**cp == '\"') { | ||
144 | - quote_mode++; | ||
145 | - (*cp)++; | ||
146 | + if (!(flags & PR_STR_FL_IGNORE_QUOTES)) { | ||
147 | + if (**cp == '\"') { | ||
148 | + quote_mode = TRUE; | ||
149 | + (*cp)++; | ||
150 | + } | ||
151 | } | ||
152 | |||
153 | while (**cp && (quote_mode ? (**cp != '\"') : !PR_ISSPACE(**cp))) { | ||
154 | pr_signals_handle(); | ||
155 | |||
156 | - if (**cp == '\\' && quote_mode) { | ||
157 | - | ||
158 | + if (**cp == '\\' && | ||
159 | + quote_mode == TRUE) { | ||
160 | /* Escaped char */ | ||
161 | if (*((*cp)+1)) { | ||
162 | - *dst = *(++(*cp)); | ||
163 | + *dst++ = *(++(*cp)); | ||
164 | + (*cp)++; | ||
165 | + continue; | ||
166 | } | ||
167 | } | ||
168 | |||
169 | *dst++ = **cp; | ||
170 | - ++(*cp); | ||
171 | + (*cp)++; | ||
172 | } | ||
173 | |||
174 | if (**cp) { | ||
175 | diff --git a/tests/api/str.c b/tests/api/str.c | ||
176 | index 7c6e110..77fda8f 100644 | ||
177 | --- a/tests/api/str.c | ||
178 | +++ b/tests/api/str.c | ||
179 | @@ -1,6 +1,6 @@ | ||
180 | /* | ||
181 | * ProFTPD - FTP server testsuite | ||
182 | - * Copyright (c) 2008-2017 The ProFTPD Project team | ||
183 | + * Copyright (c) 2008-2023 The ProFTPD Project team | ||
184 | * | ||
185 | * This program is free software; you can redistribute it and/or modify | ||
186 | * it under the terms of the GNU General Public License as published by | ||
187 | @@ -695,19 +695,23 @@ END_TEST | ||
188 | START_TEST (get_word_test) { | ||
189 | char *ok, *res, *str; | ||
190 | |||
191 | + mark_point(); | ||
192 | res = pr_str_get_word(NULL, 0); | ||
193 | fail_unless(res == NULL, "Failed to handle null arguments"); | ||
194 | fail_unless(errno == EINVAL, "Failed to set errno to EINVAL"); | ||
195 | |||
196 | + mark_point(); | ||
197 | str = NULL; | ||
198 | res = pr_str_get_word(&str, 0); | ||
199 | fail_unless(res == NULL, "Failed to handle null str argument"); | ||
200 | fail_unless(errno == EINVAL, "Failed to set errno to EINVAL"); | ||
201 | |||
202 | + mark_point(); | ||
203 | str = pstrdup(p, " "); | ||
204 | res = pr_str_get_word(&str, 0); | ||
205 | fail_unless(res == NULL, "Failed to handle whitespace argument"); | ||
206 | |||
207 | + mark_point(); | ||
208 | str = pstrdup(p, " foo"); | ||
209 | res = pr_str_get_word(&str, PR_STR_FL_PRESERVE_WHITESPACE); | ||
210 | fail_unless(res != NULL, "Failed to handle whitespace argument: %s", | ||
211 | @@ -723,6 +727,7 @@ START_TEST (get_word_test) { | ||
212 | ok = "foo"; | ||
213 | fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); | ||
214 | |||
215 | + mark_point(); | ||
216 | str = pstrdup(p, " # foo"); | ||
217 | res = pr_str_get_word(&str, 0); | ||
218 | fail_unless(res == NULL, "Failed to handle commented argument"); | ||
219 | @@ -742,6 +747,8 @@ START_TEST (get_word_test) { | ||
220 | fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); | ||
221 | |||
222 | /* Test multiple embedded quotes. */ | ||
223 | + | ||
224 | + mark_point(); | ||
225 | str = pstrdup(p, "foo \"bar baz\" qux \"quz norf\""); | ||
226 | res = pr_str_get_word(&str, 0); | ||
227 | fail_unless(res != NULL, "Failed to handle quoted argument: %s", | ||
228 | @@ -770,6 +777,47 @@ START_TEST (get_word_test) { | ||
229 | |||
230 | ok = "quz norf"; | ||
231 | fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); | ||
232 | + | ||
233 | + | ||
234 | + /* Test embedded quotes with backslashes (Issue #1683). */ | ||
235 | + mark_point(); | ||
236 | + | ||
237 | + str = pstrdup(p, "\"\\\\SYST\""); | ||
238 | + res = pr_str_get_word(&str, 0); | ||
239 | + fail_unless(res != NULL, "Failed to handle quoted argument: %s", | ||
240 | + strerror(errno)); | ||
241 | + | ||
242 | + ok = "\\SYST"; | ||
243 | + fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); | ||
244 | + | ||
245 | + mark_point(); | ||
246 | + str = pstrdup(p, "\"\"\\\\SYST"); | ||
247 | + res = pr_str_get_word(&str, 0); | ||
248 | + fail_unless(res != NULL, "Failed to handle quoted argument: %s", | ||
249 | + strerror(errno)); | ||
250 | + | ||
251 | + /* Note that pr_str_get_word() is intended to be called multiple times | ||
252 | + * on an advancing buffer, effectively tokenizing the buffer. This is | ||
253 | + * why the function does NOT decrement its quote mode. | ||
254 | + */ | ||
255 | + ok = ""; | ||
256 | + fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); | ||
257 | + | ||
258 | + /* Now do the same tests with the IGNORE_QUOTES flag */ | ||
259 | + mark_point(); | ||
260 | + | ||
261 | + str = ok = pstrdup(p, "\"\\\\SYST\""); | ||
262 | + res = pr_str_get_word(&str, PR_STR_FL_IGNORE_QUOTES); | ||
263 | + fail_unless(res != NULL, "Failed to handle quoted argument: %s", | ||
264 | + strerror(errno)); | ||
265 | + fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); | ||
266 | + | ||
267 | + mark_point(); | ||
268 | + str = ok = pstrdup(p, "\"\"\\\\SYST"); | ||
269 | + res = pr_str_get_word(&str, PR_STR_FL_IGNORE_QUOTES); | ||
270 | + fail_unless(res != NULL, "Failed to handle quoted argument: %s", | ||
271 | + strerror(errno)); | ||
272 | + fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); | ||
273 | } | ||
274 | END_TEST | ||
275 | |||
276 | -- | ||
277 | 2.25.1 | ||
278 | |||
diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb index 9ec97b923..aa1f9e4ef 100644 --- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb +++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb | |||
@@ -13,6 +13,7 @@ SRC_URI = "ftp://ftp.proftpd.org/distrib/source/${BPN}-${PV}.tar.gz \ | |||
13 | file://build_fixup.patch \ | 13 | file://build_fixup.patch \ |
14 | file://proftpd.service \ | 14 | file://proftpd.service \ |
15 | file://CVE-2021-46854.patch \ | 15 | file://CVE-2021-46854.patch \ |
16 | file://CVE-2023-51713.patch \ | ||
16 | " | 17 | " |
17 | SRC_URI[md5sum] = "13270911c42aac842435f18205546a1b" | 18 | SRC_URI[md5sum] = "13270911c42aac842435f18205546a1b" |
18 | SRC_URI[sha256sum] = "91ef74b143495d5ff97c4d4770c6804072a8c8eb1ad1ecc8cc541b40e152ecaf" | 19 | SRC_URI[sha256sum] = "91ef74b143495d5ff97c4d4770c6804072a8c8eb1ad1ecc8cc541b40e152ecaf" |