packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

CVE: Fix CVE-2020-7211

Browse Source 
backport from upstream:
14ec36e107

Signed-off-by: Ying Fang <fangying1@huawei.com>
This commit is contained in:
Ying Fang 2020-05-15 16:51:37 +08:00
parent f10dd80ac0
commit ce26e77689
2 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
qemu.spec
View File

@ -164,6 +164,7 @@ Patch0151: migration-rdma-fix-a-memleak-on-error-path-in-rdma_s.patch
Patch0152: arm-virt-Support-CPU-cold-plug.patch
Patch0153: ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch
Patch0154: ati-vga-Fix-checks-in-ati_2d_blt-to-avoid-crash.patch
Patch0155: slirp-tftp-restrict-relative-path-access.patch
BuildRequires: flex
BuildRequires: bison
@ -512,6 +513,7 @@ getent passwd qemu >/dev/null || \
* Fri May 15 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- ide: Fix incorrect handling of some PRDTs in ide_dma_cb()
- ati-vga: Fix checks in ati_2d_blt() to avoid crash
- slirp: tftp: restrict relative path access
* Tue May 12 2020 Huawei Technologies Co., Ltd. <zhukeqian1@huawei.com>
- arm/virt: Support CPU cold plug

37
slirp-tftp-restrict-relative-path-access.patch Normal file
View File

@ -0,0 +1,37 @@
From 2fc07f4ce31a2cc9973cfb1c20897c6a4babd8b8 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Fri, 15 May 2020 16:45:28 +0800
Subject: [PATCH] slirp: tftp: restrict relative path access
tftp restricts relative or directory path access on Linux systems.
Apply same restrictions on Windows systems too. It helps to avoid
directory traversal issue.
Fixes: https://bugs.launchpad.net/qemu/+bug/1812451Reported-by: default avatarPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200113121431.156708-1-ppandit@redhat.com>
diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c
index 093c2e06..2b4176cc 100644
--- a/slirp/src/tftp.c
+++ b/slirp/src/tftp.c
@@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
k += 6; /* skipping octet */
/* do sanity checks on the filename */
- if (!strncmp(req_fname, "../", 3) ||
- req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) {
+ if (
+#ifdef G_OS_WIN32
+ strstr(req_fname, "..\\") ||
+ req_fname[strlen(req_fname) - 1] == '\\' ||
+#endif
+ strstr(req_fname, "../") ||
+ req_fname[strlen(req_fname) -1] == '/') {
tftp_send_error(spt, 2, "Access violation", tp);
return;
}
--
2.23.0