inetutils: fix CVE-2021-40491

CVE-2021-40491: The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server address. This is similar to CVE-2020-8284 for curl. References: https://nvd.nist.gov/vuln/detail/CVE-2021-40491 Patch from: https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=58cb043b190fd04effdaea7c9403416b436e50dd (From OE-Core rev: 1b857807f1cf8fee3175f8479a0c7cb1850bd9a9) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yi Zhao <yi.zhao@windriver.com> 2021-09-26 11:16:42 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-09-26 12:05:03 +0100
commit: eafac9940adb69f085e1448516ab59976a16489b (patch)
tree: 9643d2cc9f81f6b90321afbd32e42a8a8664c4c4 /meta/recipes-connectivity/inetutils
parent: 06dcace68b021b020f14327c35358d58ecc698fa (diff)
download: poky-eafac9940adb69f085e1448516ab59976a16489b.tar.gz
2 files changed, 89 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch
new file mode 100644
index 0000000000..202488f75c
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch
@@ -0,0 +1,88 @@
+From 98ccabf68e5b3f0a177bd1925581753d10041448 Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon@josefsson.org>
+Date: Wed, 1 Sep 2021 09:09:50 +0200
+Subject: [PATCH] ftp: check that PASV/LSPV addresses match.
+* NEWS: Mention change.
+* ftp/ftp.c (initconn): Validate returned addresses.
+CVE: CVE-2021-40491
+Upstream-Status: Backport
+[https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=58cb043b190fd04effdaea7c9403416b436e50dd]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ NEWS      |  9 +++++++++
+ ftp/ftp.c | 21 +++++++++++++++++++++
+ 2 files changed, 30 insertions(+)
+diff --git a/NEWS b/NEWS
+index 7c5e62c..bd9a4da 100644
+--- a/NEWS
+++ b/NEWS
+@@ -4,6 +4,15 @@ GNU inetutils NEWS -- history of user-visible changes.
+ 
+ ** ftp
+ 
+The ftp client now validate addresses returned by PASV/LSPV responses,
+to make sure they match the server address.  Reported by ZeddYu Lu in
+<https://lists.gnu.org/archive/html/bug-inetutils/2021-06/msg00002.html>.
+
+Thanks to Luke Mewburn <lukem@netbsd.org> for discussion and fix to
+NetBSD code, we used a similar solution.
+
+** ftp
+
+ Disable use of readline when environment variable TERM is unset or set
+ to "dumb" (caused problems with Emacs AngeFTP on MacOS).  Thanks to
+ Alex Bochannek for report, debugging and patch.
+diff --git a/ftp/ftp.c b/ftp/ftp.c
+index d21dbdd..7513539 100644
+--- a/ftp/ftp.c
+++ b/ftp/ftp.c
+@@ -1365,6 +1365,13 @@ initconn (void)
+                  uint32_t *pu32 = (uint32_t *) &data_addr_sa4->sin_addr.s_addr;
+                  pu32[0] = htonl ( (h[0] << 24) | (h[1] << 16) | (h[2] << 8) | h[3]);
+                }
+               if (data_addr_sa4->sin_addr.s_addr
+                   != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
+                 {
+                   printf ("Passive mode address mismatch.\n");
+                   (void) command ("ABOR");    /* Cancel any open connection.  */
+                   goto bad;
+                 }
+            } /* LPSV IPv4 */
+          else /* IPv6 */
+            {
+@@ -1395,6 +1402,13 @@ initconn (void)
+                  pu32[2] = htonl ( (h[8] << 24) | (h[9] << 16) | (h[10] << 8) | h[11]);
+                  pu32[3] = htonl ( (h[12] << 24) | (h[13] << 16) | (h[14] << 8) | h[15]);
+                }
+               if (data_addr_sa6->sin6_addr.s6_addr
+                   != ((struct sockaddr_in6 *) &hisctladdr)->sin6_addr.s6_addr)
+                 {
+                   printf ("Passive mode address mismatch.\n");
+                   (void) command ("ABOR");    /* Cancel any open connection.  */
+                   goto bad;
+                 }
+            } /* LPSV IPv6 */
+        }
+       else /* !EPSV && !LPSV */
+@@ -1415,6 +1429,13 @@ initconn (void)
+                         | ((a2 & 0xff) << 8) | (a3 & 0xff) );
+              data_addr_sa4->sin_port =
+                  htons (((p0 & 0xff) << 8) | (p1 & 0xff));
+             if (data_addr_sa4->sin_addr.s_addr
+                 != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
+               {
+                 printf ("Passive mode address mismatch.\n");
+                 (void) command ("ABOR");      /* Cancel any open connection.  */
+                 goto bad;
+               }
+            } /* PASV */
+          else
+            {
+-- 
+2.17.1
diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.1.bb b/meta/recipes-connectivity/inetutils/inetutils_2.1.bb
index 0cf73cdb24..45b88b1d7f 100644
--- a/meta/recipes-connectivity/inetutils/inetutils_2.1.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_2.1.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
           file://tftpd.xinetd.inetutils \
           file://inetutils-1.9-PATH_PROCNET_DEV.patch \
           file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \
+           file://CVE-2021-40491.patch \
 "
 inherit autotools gettext update-alternatives texinfo
author	Yi Zhao <yi.zhao@windriver.com>	2021-09-26 11:16:42 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-09-26 12:05:03 +0100
commit	eafac9940adb69f085e1448516ab59976a16489b (patch)
tree	9643d2cc9f81f6b90321afbd32e42a8a8664c4c4 /meta/recipes-connectivity/inetutils
parent	06dcace68b021b020f14327c35358d58ecc698fa (diff)
download	poky-eafac9940adb69f085e1448516ab59976a16489b.tar.gz

diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch new file mode 100644 index 0000000000..202488f75c --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch
@@ -0,0 +1,88 @@
		1	From 98ccabf68e5b3f0a177bd1925581753d10041448 Mon Sep 17 00:00:00 2001
		2	From: Simon Josefsson <simon@josefsson.org>
		3	Date: Wed, 1 Sep 2021 09:09:50 +0200
		4	Subject: [PATCH] ftp: check that PASV/LSPV addresses match.
		5
		6	* NEWS: Mention change.
		7	* ftp/ftp.c (initconn): Validate returned addresses.
		8
		9	CVE: CVE-2021-40491
		10
		11	Upstream-Status: Backport
		12	[https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=58cb043b190fd04effdaea7c9403416b436e50dd]
		13
		14	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		15	---
		16	NEWS \| 9 +++++++++
		17	ftp/ftp.c \| 21 +++++++++++++++++++++
		18	2 files changed, 30 insertions(+)
		19
		20	diff --git a/NEWS b/NEWS
		21	index 7c5e62c..bd9a4da 100644
		22	--- a/NEWS
		23	+++ b/NEWS
		24	@@ -4,6 +4,15 @@ GNU inetutils NEWS -- history of user-visible changes.
		25
		26	** ftp
		27
		28	+The ftp client now validate addresses returned by PASV/LSPV responses,
		29	+to make sure they match the server address. Reported by ZeddYu Lu in
		30	+<https://lists.gnu.org/archive/html/bug-inetutils/2021-06/msg00002.html>.
		31	+
		32	+Thanks to Luke Mewburn <lukem@netbsd.org> for discussion and fix to
		33	+NetBSD code, we used a similar solution.
		34	+
		35	+** ftp
		36	+
		37	Disable use of readline when environment variable TERM is unset or set
		38	to "dumb" (caused problems with Emacs AngeFTP on MacOS). Thanks to
		39	Alex Bochannek for report, debugging and patch.
		40	diff --git a/ftp/ftp.c b/ftp/ftp.c
		41	index d21dbdd..7513539 100644
		42	--- a/ftp/ftp.c
		43	+++ b/ftp/ftp.c
		44	@@ -1365,6 +1365,13 @@ initconn (void)
		45	uint32_t pu32 = (uint32_t ) &data_addr_sa4->sin_addr.s_addr;
		46	pu32[0] = htonl ( (h[0] << 24) \| (h[1] << 16) \| (h[2] << 8) \| h[3]);
		47	}
		48	+ if (data_addr_sa4->sin_addr.s_addr
		49	+ != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
		50	+ {
		51	+ printf ("Passive mode address mismatch.\n");
		52	+ (void) command ("ABOR"); /* Cancel any open connection. */
		53	+ goto bad;
		54	+ }
		55	} /* LPSV IPv4 */
		56	else /* IPv6 */
		57	{
		58	@@ -1395,6 +1402,13 @@ initconn (void)
		59	pu32[2] = htonl ( (h[8] << 24) \| (h[9] << 16) \| (h[10] << 8) \| h[11]);
		60	pu32[3] = htonl ( (h[12] << 24) \| (h[13] << 16) \| (h[14] << 8) \| h[15]);
		61	}
		62	+ if (data_addr_sa6->sin6_addr.s6_addr
		63	+ != ((struct sockaddr_in6 *) &hisctladdr)->sin6_addr.s6_addr)
		64	+ {
		65	+ printf ("Passive mode address mismatch.\n");
		66	+ (void) command ("ABOR"); /* Cancel any open connection. */
		67	+ goto bad;
		68	+ }
		69	} /* LPSV IPv6 */
		70	}
		71	else /* !EPSV && !LPSV */
		72	@@ -1415,6 +1429,13 @@ initconn (void)
		73	\| ((a2 & 0xff) << 8) \| (a3 & 0xff) );
		74	data_addr_sa4->sin_port =
		75	htons (((p0 & 0xff) << 8) \| (p1 & 0xff));
		76	+ if (data_addr_sa4->sin_addr.s_addr
		77	+ != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
		78	+ {
		79	+ printf ("Passive mode address mismatch.\n");
		80	+ (void) command ("ABOR"); /* Cancel any open connection. */
		81	+ goto bad;
		82	+ }
		83	} /* PASV */
		84	else
		85	{
		86	--
		87	2.17.1
		88


diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.1.bb b/meta/recipes-connectivity/inetutils/inetutils_2.1.bb index 0cf73cdb24..45b88b1d7f 100644 --- a/meta/recipes-connectivity/inetutils/inetutils_2.1.bb +++ b/meta/recipes-connectivity/inetutils/inetutils_2.1.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
21	file://tftpd.xinetd.inetutils \	21	file://tftpd.xinetd.inetutils \
22	file://inetutils-1.9-PATH_PROCNET_DEV.patch \	22	file://inetutils-1.9-PATH_PROCNET_DEV.patch \
23	file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \	23	file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \
		24	file://CVE-2021-40491.patch \
24	"	25	"
25		26
26	inherit autotools gettext update-alternatives texinfo	27	inherit autotools gettext update-alternatives texinfo