summaryrefslogtreecommitdiffstats
path: root/meta-networking
diff options
context:
space:
mode:
authorHitendra Prajapati <hprajapati@mvista.com>2024-01-03 14:31:28 +0530
committerArmin Kuster <akuster808@gmail.com>2024-01-12 07:14:16 -0500
commit730e44900a0a86265bad93a16b5a5ff344a07266 (patch)
tree0ac1f7a60f2b78ea246e8eec5ec5c81d6bd743cb /meta-networking
parent764c779a19f1be68979a3a3b61e8174c73dc5bca (diff)
downloadmeta-openembedded-730e44900a0a86265bad93a16b5a5ff344a07266.tar.gz
proftpd: Fix CVE-2023-51713 Out-of-bounds buffer read
Upstream-Status: Backport from https://github.com/proftpd/proftpd/commit/97bbe68363ccf2de0c07f67170ec64a8b4d62592 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-networking')
-rw-r--r--meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch277
-rw-r--r--meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb1
2 files changed, 278 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch b/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch
new file mode 100644
index 0000000000..4b2cac1870
--- /dev/null
+++ b/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch
@@ -0,0 +1,277 @@
1From 97bbe68363ccf2de0c07f67170ec64a8b4d62592 Mon Sep 17 00:00:00 2001
2From: TJ Saunders <tj@castaglia.org>
3Date: Sun, 6 Aug 2023 13:16:26 -0700
4Subject: [PATCH] Issue #1683: Avoid an edge case when handling unexpectedly
5 formatted input text from client, caused by quote/backslash semantics, by
6 skipping those semantics.
7
8Upstream-Status: Backport [https://github.com/proftpd/proftpd/commit/97bbe68363ccf2de0c07f67170ec64a8b4d62592]
9CVE: CVE-2023-51713
10Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
11---
12 include/str.h | 3 ++-
13 src/main.c | 34 +++++++++++++++++++++++++++++----
14 src/str.c | 22 +++++++++++++---------
15 tests/api/str.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++-
16 4 files changed, 94 insertions(+), 15 deletions(-)
17
18diff --git a/include/str.h b/include/str.h
19index f08398017..1261ae2c2 100644
20--- a/include/str.h
21+++ b/include/str.h
22@@ -1,6 +1,6 @@
23 /*
24 * ProFTPD - FTP server daemon
25- * Copyright (c) 2008-2020 The ProFTPD Project team
26+ * Copyright (c) 2008-2023 The ProFTPD Project team
27 *
28 * This program is free software; you can redistribute it and/or modify
29 * it under the terms of the GNU General Public License as published by
30@@ -131,6 +131,7 @@ const char *pr_gid2str(pool *, gid_t);
31 #define PR_STR_FL_PRESERVE_COMMENTS 0x0001
32 #define PR_STR_FL_PRESERVE_WHITESPACE 0x0002
33 #define PR_STR_FL_IGNORE_CASE 0x0004
34+#define PR_STR_FL_IGNORE_QUOTES 0x0008
35
36 char *pr_str_get_token(char **, char *);
37 char *pr_str_get_token2(char **, char *, size_t *);
38diff --git a/src/main.c b/src/main.c
39index ee9c1eecb..e6b70731d 100644
40--- a/src/main.c
41+++ b/src/main.c
42@@ -811,8 +811,24 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) {
43 return NULL;
44 }
45
46+ /* By default, pr_str_get_word will handle quotes and backslashes for
47+ * escaping characters. This can produce words which are shorter, use
48+ * fewer bytes than the corresponding input buffer.
49+ *
50+ * In this particular situation, we use the length of this initial word
51+ * for determining the length of the remaining buffer bytes, assumed to
52+ * contain the FTP command arguments. If this initial word is thus
53+ * unexpectedly "shorter", due to nonconformant FTP text, it can lead
54+ * the subsequent buffer scan, looking for CRNUL sequencees, to access
55+ * unexpected memory addresses (Issue #1683).
56+ *
57+ * Thus for this particular situation, we tell the function to ignore/skip
58+ * such quote/backslash semantics, and treat them as any other character
59+ * using the IGNORE_QUOTES flag.
60+ */
61+
62 ptr = buf;
63- wrd = pr_str_get_word(&ptr, str_flags);
64+ wrd = pr_str_get_word(&ptr, str_flags|PR_STR_FL_IGNORE_QUOTES);
65 if (wrd == NULL) {
66 /* Nothing there...bail out. */
67 pr_trace_msg("ctrl", 5, "command '%s' is empty, ignoring", buf);
68@@ -820,6 +836,11 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) {
69 return NULL;
70 }
71
72+ /* Note that this first word is the FTP command. This is why we make
73+ * use of the ptr buffer, which advances through the input buffer as
74+ * we read words from the buffer.
75+ */
76+
77 subpool = make_sub_pool(p);
78 pr_pool_tag(subpool, "make_ftp_cmd pool");
79 cmd = pcalloc(subpool, sizeof(cmd_rec));
80@@ -846,6 +867,7 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) {
81 arg_len = buflen - strlen(wrd);
82 arg = pcalloc(cmd->pool, arg_len + 1);
83
84+ /* Remember that ptr here is advanced past the first word. */
85 for (i = 0, j = 0; i < arg_len; i++) {
86 pr_signals_handle();
87 if (i > 1 &&
88@@ -854,14 +876,13 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) {
89
90 /* Strip out the NUL by simply not copying it into the new buffer. */
91 have_crnul = TRUE;
92+
93 } else {
94 arg[j++] = ptr[i];
95 }
96 }
97
98- cmd->arg = arg;
99-
100- if (have_crnul) {
101+ if (have_crnul == TRUE) {
102 char *dup_arg;
103
104 /* Now make a copy of the stripped argument; this is what we need to
105@@ -871,6 +892,11 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) {
106 ptr = dup_arg;
107 }
108
109+ cmd->arg = arg;
110+
111+ /* Now we can read the remamining words, as command arguments, from the
112+ * input buffer.
113+ */
114 while ((wrd = pr_str_get_word(&ptr, str_flags)) != NULL) {
115 pr_signals_handle();
116 *((char **) push_array(tarr)) = pstrdup(cmd->pool, wrd);
117diff --git a/src/str.c b/src/str.c
118index bcca4ae4d..a2ff74daf 100644
119--- a/src/str.c
120+++ b/src/str.c
121@@ -1,6 +1,6 @@
122 /*
123 * ProFTPD - FTP server daemon
124- * Copyright (c) 2008-2017 The ProFTPD Project team
125+ * Copyright (c) 2008-2023 The ProFTPD Project team
126 *
127 * This program is free software; you can redistribute it and/or modify
128 * it under the terms of the GNU General Public License as published by
129@@ -1209,7 +1209,7 @@ int pr_str_get_nbytes(const char *str, const char *units, off_t *nbytes) {
130
131 char *pr_str_get_word(char **cp, int flags) {
132 char *res, *dst;
133- char quote_mode = 0;
134+ int quote_mode = FALSE;
135
136 if (cp == NULL ||
137 !*cp ||
138@@ -1238,24 +1238,28 @@ char *pr_str_get_word(char **cp, int flags) {
139 }
140 }
141
142- if (**cp == '\"') {
143- quote_mode++;
144- (*cp)++;
145+ if (!(flags & PR_STR_FL_IGNORE_QUOTES)) {
146+ if (**cp == '\"') {
147+ quote_mode = TRUE;
148+ (*cp)++;
149+ }
150 }
151
152 while (**cp && (quote_mode ? (**cp != '\"') : !PR_ISSPACE(**cp))) {
153 pr_signals_handle();
154
155- if (**cp == '\\' && quote_mode) {
156-
157+ if (**cp == '\\' &&
158+ quote_mode == TRUE) {
159 /* Escaped char */
160 if (*((*cp)+1)) {
161- *dst = *(++(*cp));
162+ *dst++ = *(++(*cp));
163+ (*cp)++;
164+ continue;
165 }
166 }
167
168 *dst++ = **cp;
169- ++(*cp);
170+ (*cp)++;
171 }
172
173 if (**cp) {
174diff --git a/tests/api/str.c b/tests/api/str.c
175index 050f5c563..bc64f0fb0 100644
176--- a/tests/api/str.c
177+++ b/tests/api/str.c
178@@ -1,6 +1,6 @@
179 /*
180 * ProFTPD - FTP server testsuite
181- * Copyright (c) 2008-2017 The ProFTPD Project team
182+ * Copyright (c) 2008-2023 The ProFTPD Project team
183 *
184 * This program is free software; you can redistribute it and/or modify
185 * it under the terms of the GNU General Public License as published by
186@@ -695,19 +695,23 @@ END_TEST
187 START_TEST (get_word_test) {
188 char *ok, *res, *str;
189
190+ mark_point();
191 res = pr_str_get_word(NULL, 0);
192 fail_unless(res == NULL, "Failed to handle null arguments");
193 fail_unless(errno == EINVAL, "Failed to set errno to EINVAL");
194
195+ mark_point();
196 str = NULL;
197 res = pr_str_get_word(&str, 0);
198 fail_unless(res == NULL, "Failed to handle null str argument");
199 fail_unless(errno == EINVAL, "Failed to set errno to EINVAL");
200
201+ mark_point();
202 str = pstrdup(p, " ");
203 res = pr_str_get_word(&str, 0);
204 fail_unless(res == NULL, "Failed to handle whitespace argument");
205
206+ mark_point();
207 str = pstrdup(p, " foo");
208 res = pr_str_get_word(&str, PR_STR_FL_PRESERVE_WHITESPACE);
209 fail_unless(res != NULL, "Failed to handle whitespace argument: %s",
210@@ -723,6 +727,7 @@ START_TEST (get_word_test) {
211 ok = "foo";
212 fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res);
213
214+ mark_point();
215 str = pstrdup(p, " # foo");
216 res = pr_str_get_word(&str, 0);
217 fail_unless(res == NULL, "Failed to handle commented argument");
218@@ -742,6 +747,8 @@ START_TEST (get_word_test) {
219 fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res);
220
221 /* Test multiple embedded quotes. */
222+
223+ mark_point();
224 str = pstrdup(p, "foo \"bar baz\" qux \"quz norf\"");
225 res = pr_str_get_word(&str, 0);
226 fail_unless(res != NULL, "Failed to handle quoted argument: %s",
227@@ -770,6 +777,47 @@ START_TEST (get_word_test) {
228
229 ok = "quz norf";
230 fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res);
231+
232+
233+ /* Test embedded quotes with backslashes (Issue #1683). */
234+ mark_point();
235+
236+ str = pstrdup(p, "\"\\\\SYST\"");
237+ res = pr_str_get_word(&str, 0);
238+ fail_unless(res != NULL, "Failed to handle quoted argument: %s",
239+ strerror(errno));
240+
241+ ok = "\\SYST";
242+ fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res);
243+
244+ mark_point();
245+ str = pstrdup(p, "\"\"\\\\SYST");
246+ res = pr_str_get_word(&str, 0);
247+ fail_unless(res != NULL, "Failed to handle quoted argument: %s",
248+ strerror(errno));
249+
250+ /* Note that pr_str_get_word() is intended to be called multiple times
251+ * on an advancing buffer, effectively tokenizing the buffer. This is
252+ * why the function does NOT decrement its quote mode.
253+ */
254+ ok = "";
255+ fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res);
256+
257+ /* Now do the same tests with the IGNORE_QUOTES flag */
258+ mark_point();
259+
260+ str = ok = pstrdup(p, "\"\\\\SYST\"");
261+ res = pr_str_get_word(&str, PR_STR_FL_IGNORE_QUOTES);
262+ fail_unless(res != NULL, "Failed to handle quoted argument: %s",
263+ strerror(errno));
264+ fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res);
265+
266+ mark_point();
267+ str = ok = pstrdup(p, "\"\"\\\\SYST");
268+ res = pr_str_get_word(&str, PR_STR_FL_IGNORE_QUOTES);
269+ fail_unless(res != NULL, "Failed to handle quoted argument: %s",
270+ strerror(errno));
271+ fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res);
272 }
273 END_TEST
274
275--
2762.25.1
277
diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb
index 686f1e5cdf..9d846f46a2 100644
--- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb
+++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/proftpd/proftpd.git;branch=${BRANCH};protocol=https
15 file://contrib.patch \ 15 file://contrib.patch \
16 file://build_fixup.patch \ 16 file://build_fixup.patch \
17 file://proftpd.service \ 17 file://proftpd.service \
18 file://CVE-2023-51713.patch \
18 " 19 "
19 20
20S = "${WORKDIR}/git" 21S = "${WORKDIR}/git"