diff options
| author | Hitendra Prajapati <hprajapati@mvista.com> | 2024-01-03 14:31:28 +0530 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2024-01-12 07:14:16 -0500 |
| commit | 730e44900a0a86265bad93a16b5a5ff344a07266 (patch) | |
| tree | 0ac1f7a60f2b78ea246e8eec5ec5c81d6bd743cb /meta-networking | |
| parent | 764c779a19f1be68979a3a3b61e8174c73dc5bca (diff) | |
| download | meta-openembedded-730e44900a0a86265bad93a16b5a5ff344a07266.tar.gz | |
proftpd: Fix CVE-2023-51713 Out-of-bounds buffer read
Upstream-Status: Backport from https://github.com/proftpd/proftpd/commit/97bbe68363ccf2de0c07f67170ec64a8b4d62592
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-networking')
| -rw-r--r-- | meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch | 277 | ||||
| -rw-r--r-- | meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb | 1 |
2 files changed, 278 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch b/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch new file mode 100644 index 0000000000..4b2cac1870 --- /dev/null +++ b/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch | |||
| @@ -0,0 +1,277 @@ | |||
| 1 | From 97bbe68363ccf2de0c07f67170ec64a8b4d62592 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: TJ Saunders <tj@castaglia.org> | ||
| 3 | Date: Sun, 6 Aug 2023 13:16:26 -0700 | ||
| 4 | Subject: [PATCH] Issue #1683: Avoid an edge case when handling unexpectedly | ||
| 5 | formatted input text from client, caused by quote/backslash semantics, by | ||
| 6 | skipping those semantics. | ||
| 7 | |||
| 8 | Upstream-Status: Backport [https://github.com/proftpd/proftpd/commit/97bbe68363ccf2de0c07f67170ec64a8b4d62592] | ||
| 9 | CVE: CVE-2023-51713 | ||
| 10 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
| 11 | --- | ||
| 12 | include/str.h | 3 ++- | ||
| 13 | src/main.c | 34 +++++++++++++++++++++++++++++---- | ||
| 14 | src/str.c | 22 +++++++++++++--------- | ||
| 15 | tests/api/str.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++- | ||
| 16 | 4 files changed, 94 insertions(+), 15 deletions(-) | ||
| 17 | |||
| 18 | diff --git a/include/str.h b/include/str.h | ||
| 19 | index f08398017..1261ae2c2 100644 | ||
| 20 | --- a/include/str.h | ||
| 21 | +++ b/include/str.h | ||
| 22 | @@ -1,6 +1,6 @@ | ||
| 23 | /* | ||
| 24 | * ProFTPD - FTP server daemon | ||
| 25 | - * Copyright (c) 2008-2020 The ProFTPD Project team | ||
| 26 | + * Copyright (c) 2008-2023 The ProFTPD Project team | ||
| 27 | * | ||
| 28 | * This program is free software; you can redistribute it and/or modify | ||
| 29 | * it under the terms of the GNU General Public License as published by | ||
| 30 | @@ -131,6 +131,7 @@ const char *pr_gid2str(pool *, gid_t); | ||
| 31 | #define PR_STR_FL_PRESERVE_COMMENTS 0x0001 | ||
| 32 | #define PR_STR_FL_PRESERVE_WHITESPACE 0x0002 | ||
| 33 | #define PR_STR_FL_IGNORE_CASE 0x0004 | ||
| 34 | +#define PR_STR_FL_IGNORE_QUOTES 0x0008 | ||
| 35 | |||
| 36 | char *pr_str_get_token(char **, char *); | ||
| 37 | char *pr_str_get_token2(char **, char *, size_t *); | ||
| 38 | diff --git a/src/main.c b/src/main.c | ||
| 39 | index ee9c1eecb..e6b70731d 100644 | ||
| 40 | --- a/src/main.c | ||
| 41 | +++ b/src/main.c | ||
| 42 | @@ -811,8 +811,24 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { | ||
| 43 | return NULL; | ||
| 44 | } | ||
| 45 | |||
| 46 | + /* By default, pr_str_get_word will handle quotes and backslashes for | ||
| 47 | + * escaping characters. This can produce words which are shorter, use | ||
| 48 | + * fewer bytes than the corresponding input buffer. | ||
| 49 | + * | ||
| 50 | + * In this particular situation, we use the length of this initial word | ||
| 51 | + * for determining the length of the remaining buffer bytes, assumed to | ||
| 52 | + * contain the FTP command arguments. If this initial word is thus | ||
| 53 | + * unexpectedly "shorter", due to nonconformant FTP text, it can lead | ||
| 54 | + * the subsequent buffer scan, looking for CRNUL sequencees, to access | ||
| 55 | + * unexpected memory addresses (Issue #1683). | ||
| 56 | + * | ||
| 57 | + * Thus for this particular situation, we tell the function to ignore/skip | ||
| 58 | + * such quote/backslash semantics, and treat them as any other character | ||
| 59 | + * using the IGNORE_QUOTES flag. | ||
| 60 | + */ | ||
| 61 | + | ||
| 62 | ptr = buf; | ||
| 63 | - wrd = pr_str_get_word(&ptr, str_flags); | ||
| 64 | + wrd = pr_str_get_word(&ptr, str_flags|PR_STR_FL_IGNORE_QUOTES); | ||
| 65 | if (wrd == NULL) { | ||
| 66 | /* Nothing there...bail out. */ | ||
| 67 | pr_trace_msg("ctrl", 5, "command '%s' is empty, ignoring", buf); | ||
| 68 | @@ -820,6 +836,11 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { | ||
| 69 | return NULL; | ||
| 70 | } | ||
| 71 | |||
| 72 | + /* Note that this first word is the FTP command. This is why we make | ||
| 73 | + * use of the ptr buffer, which advances through the input buffer as | ||
| 74 | + * we read words from the buffer. | ||
| 75 | + */ | ||
| 76 | + | ||
| 77 | subpool = make_sub_pool(p); | ||
| 78 | pr_pool_tag(subpool, "make_ftp_cmd pool"); | ||
| 79 | cmd = pcalloc(subpool, sizeof(cmd_rec)); | ||
| 80 | @@ -846,6 +867,7 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { | ||
| 81 | arg_len = buflen - strlen(wrd); | ||
| 82 | arg = pcalloc(cmd->pool, arg_len + 1); | ||
| 83 | |||
| 84 | + /* Remember that ptr here is advanced past the first word. */ | ||
| 85 | for (i = 0, j = 0; i < arg_len; i++) { | ||
| 86 | pr_signals_handle(); | ||
| 87 | if (i > 1 && | ||
| 88 | @@ -854,14 +876,13 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { | ||
| 89 | |||
| 90 | /* Strip out the NUL by simply not copying it into the new buffer. */ | ||
| 91 | have_crnul = TRUE; | ||
| 92 | + | ||
| 93 | } else { | ||
| 94 | arg[j++] = ptr[i]; | ||
| 95 | } | ||
| 96 | } | ||
| 97 | |||
| 98 | - cmd->arg = arg; | ||
| 99 | - | ||
| 100 | - if (have_crnul) { | ||
| 101 | + if (have_crnul == TRUE) { | ||
| 102 | char *dup_arg; | ||
| 103 | |||
| 104 | /* Now make a copy of the stripped argument; this is what we need to | ||
| 105 | @@ -871,6 +892,11 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { | ||
| 106 | ptr = dup_arg; | ||
| 107 | } | ||
| 108 | |||
| 109 | + cmd->arg = arg; | ||
| 110 | + | ||
| 111 | + /* Now we can read the remamining words, as command arguments, from the | ||
| 112 | + * input buffer. | ||
| 113 | + */ | ||
| 114 | while ((wrd = pr_str_get_word(&ptr, str_flags)) != NULL) { | ||
| 115 | pr_signals_handle(); | ||
| 116 | *((char **) push_array(tarr)) = pstrdup(cmd->pool, wrd); | ||
| 117 | diff --git a/src/str.c b/src/str.c | ||
| 118 | index bcca4ae4d..a2ff74daf 100644 | ||
| 119 | --- a/src/str.c | ||
| 120 | +++ b/src/str.c | ||
| 121 | @@ -1,6 +1,6 @@ | ||
| 122 | /* | ||
| 123 | * ProFTPD - FTP server daemon | ||
| 124 | - * Copyright (c) 2008-2017 The ProFTPD Project team | ||
| 125 | + * Copyright (c) 2008-2023 The ProFTPD Project team | ||
| 126 | * | ||
| 127 | * This program is free software; you can redistribute it and/or modify | ||
| 128 | * it under the terms of the GNU General Public License as published by | ||
| 129 | @@ -1209,7 +1209,7 @@ int pr_str_get_nbytes(const char *str, const char *units, off_t *nbytes) { | ||
| 130 | |||
| 131 | char *pr_str_get_word(char **cp, int flags) { | ||
| 132 | char *res, *dst; | ||
| 133 | - char quote_mode = 0; | ||
| 134 | + int quote_mode = FALSE; | ||
| 135 | |||
| 136 | if (cp == NULL || | ||
| 137 | !*cp || | ||
| 138 | @@ -1238,24 +1238,28 @@ char *pr_str_get_word(char **cp, int flags) { | ||
| 139 | } | ||
| 140 | } | ||
| 141 | |||
| 142 | - if (**cp == '\"') { | ||
| 143 | - quote_mode++; | ||
| 144 | - (*cp)++; | ||
| 145 | + if (!(flags & PR_STR_FL_IGNORE_QUOTES)) { | ||
| 146 | + if (**cp == '\"') { | ||
| 147 | + quote_mode = TRUE; | ||
| 148 | + (*cp)++; | ||
| 149 | + } | ||
| 150 | } | ||
| 151 | |||
| 152 | while (**cp && (quote_mode ? (**cp != '\"') : !PR_ISSPACE(**cp))) { | ||
| 153 | pr_signals_handle(); | ||
| 154 | |||
| 155 | - if (**cp == '\\' && quote_mode) { | ||
| 156 | - | ||
| 157 | + if (**cp == '\\' && | ||
| 158 | + quote_mode == TRUE) { | ||
| 159 | /* Escaped char */ | ||
| 160 | if (*((*cp)+1)) { | ||
| 161 | - *dst = *(++(*cp)); | ||
| 162 | + *dst++ = *(++(*cp)); | ||
| 163 | + (*cp)++; | ||
| 164 | + continue; | ||
| 165 | } | ||
| 166 | } | ||
| 167 | |||
| 168 | *dst++ = **cp; | ||
| 169 | - ++(*cp); | ||
| 170 | + (*cp)++; | ||
| 171 | } | ||
| 172 | |||
| 173 | if (**cp) { | ||
| 174 | diff --git a/tests/api/str.c b/tests/api/str.c | ||
| 175 | index 050f5c563..bc64f0fb0 100644 | ||
| 176 | --- a/tests/api/str.c | ||
| 177 | +++ b/tests/api/str.c | ||
| 178 | @@ -1,6 +1,6 @@ | ||
| 179 | /* | ||
| 180 | * ProFTPD - FTP server testsuite | ||
| 181 | - * Copyright (c) 2008-2017 The ProFTPD Project team | ||
| 182 | + * Copyright (c) 2008-2023 The ProFTPD Project team | ||
| 183 | * | ||
| 184 | * This program is free software; you can redistribute it and/or modify | ||
| 185 | * it under the terms of the GNU General Public License as published by | ||
| 186 | @@ -695,19 +695,23 @@ END_TEST | ||
| 187 | START_TEST (get_word_test) { | ||
| 188 | char *ok, *res, *str; | ||
| 189 | |||
| 190 | + mark_point(); | ||
| 191 | res = pr_str_get_word(NULL, 0); | ||
| 192 | fail_unless(res == NULL, "Failed to handle null arguments"); | ||
| 193 | fail_unless(errno == EINVAL, "Failed to set errno to EINVAL"); | ||
| 194 | |||
| 195 | + mark_point(); | ||
| 196 | str = NULL; | ||
| 197 | res = pr_str_get_word(&str, 0); | ||
| 198 | fail_unless(res == NULL, "Failed to handle null str argument"); | ||
| 199 | fail_unless(errno == EINVAL, "Failed to set errno to EINVAL"); | ||
| 200 | |||
| 201 | + mark_point(); | ||
| 202 | str = pstrdup(p, " "); | ||
| 203 | res = pr_str_get_word(&str, 0); | ||
| 204 | fail_unless(res == NULL, "Failed to handle whitespace argument"); | ||
| 205 | |||
| 206 | + mark_point(); | ||
| 207 | str = pstrdup(p, " foo"); | ||
| 208 | res = pr_str_get_word(&str, PR_STR_FL_PRESERVE_WHITESPACE); | ||
| 209 | fail_unless(res != NULL, "Failed to handle whitespace argument: %s", | ||
| 210 | @@ -723,6 +727,7 @@ START_TEST (get_word_test) { | ||
| 211 | ok = "foo"; | ||
| 212 | fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); | ||
| 213 | |||
| 214 | + mark_point(); | ||
| 215 | str = pstrdup(p, " # foo"); | ||
| 216 | res = pr_str_get_word(&str, 0); | ||
| 217 | fail_unless(res == NULL, "Failed to handle commented argument"); | ||
| 218 | @@ -742,6 +747,8 @@ START_TEST (get_word_test) { | ||
| 219 | fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); | ||
| 220 | |||
| 221 | /* Test multiple embedded quotes. */ | ||
| 222 | + | ||
| 223 | + mark_point(); | ||
| 224 | str = pstrdup(p, "foo \"bar baz\" qux \"quz norf\""); | ||
| 225 | res = pr_str_get_word(&str, 0); | ||
| 226 | fail_unless(res != NULL, "Failed to handle quoted argument: %s", | ||
| 227 | @@ -770,6 +777,47 @@ START_TEST (get_word_test) { | ||
| 228 | |||
| 229 | ok = "quz norf"; | ||
| 230 | fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); | ||
| 231 | + | ||
| 232 | + | ||
| 233 | + /* Test embedded quotes with backslashes (Issue #1683). */ | ||
| 234 | + mark_point(); | ||
| 235 | + | ||
| 236 | + str = pstrdup(p, "\"\\\\SYST\""); | ||
| 237 | + res = pr_str_get_word(&str, 0); | ||
| 238 | + fail_unless(res != NULL, "Failed to handle quoted argument: %s", | ||
| 239 | + strerror(errno)); | ||
| 240 | + | ||
| 241 | + ok = "\\SYST"; | ||
| 242 | + fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); | ||
| 243 | + | ||
| 244 | + mark_point(); | ||
| 245 | + str = pstrdup(p, "\"\"\\\\SYST"); | ||
| 246 | + res = pr_str_get_word(&str, 0); | ||
| 247 | + fail_unless(res != NULL, "Failed to handle quoted argument: %s", | ||
| 248 | + strerror(errno)); | ||
| 249 | + | ||
| 250 | + /* Note that pr_str_get_word() is intended to be called multiple times | ||
| 251 | + * on an advancing buffer, effectively tokenizing the buffer. This is | ||
| 252 | + * why the function does NOT decrement its quote mode. | ||
| 253 | + */ | ||
| 254 | + ok = ""; | ||
| 255 | + fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); | ||
| 256 | + | ||
| 257 | + /* Now do the same tests with the IGNORE_QUOTES flag */ | ||
| 258 | + mark_point(); | ||
| 259 | + | ||
| 260 | + str = ok = pstrdup(p, "\"\\\\SYST\""); | ||
| 261 | + res = pr_str_get_word(&str, PR_STR_FL_IGNORE_QUOTES); | ||
| 262 | + fail_unless(res != NULL, "Failed to handle quoted argument: %s", | ||
| 263 | + strerror(errno)); | ||
| 264 | + fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); | ||
| 265 | + | ||
| 266 | + mark_point(); | ||
| 267 | + str = ok = pstrdup(p, "\"\"\\\\SYST"); | ||
| 268 | + res = pr_str_get_word(&str, PR_STR_FL_IGNORE_QUOTES); | ||
| 269 | + fail_unless(res != NULL, "Failed to handle quoted argument: %s", | ||
| 270 | + strerror(errno)); | ||
| 271 | + fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); | ||
| 272 | } | ||
| 273 | END_TEST | ||
| 274 | |||
| 275 | -- | ||
| 276 | 2.25.1 | ||
| 277 | |||
diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb index 686f1e5cdf..9d846f46a2 100644 --- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb +++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb | |||
| @@ -15,6 +15,7 @@ SRC_URI = "git://github.com/proftpd/proftpd.git;branch=${BRANCH};protocol=https | |||
| 15 | file://contrib.patch \ | 15 | file://contrib.patch \ |
| 16 | file://build_fixup.patch \ | 16 | file://build_fixup.patch \ |
| 17 | file://proftpd.service \ | 17 | file://proftpd.service \ |
| 18 | file://CVE-2023-51713.patch \ | ||
| 18 | " | 19 | " |
| 19 | 20 | ||
| 20 | S = "${WORKDIR}/git" | 21 | S = "${WORKDIR}/git" |
