0003-fix-CVE-2015-1419.patch 3.25 KB
Fix CVE-2015-1419 - config option deny_file is not handled correctly.
From SUSE: https://bugzilla.suse.com/show_bug.cgi?id=915522

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>

Index: vsftpd-3.0.2/ls.c
===================================================================
--- vsftpd-3.0.2.orig/ls.c
+++ vsftpd-3.0.2/ls.c
@@ -7,6 +7,7 @@
  * Would you believe, code to handle directory listing.
  */
 
+#include <stdlib.h>
 #include "ls.h"
 #include "access.h"
 #include "defs.h"
@@ -243,11 +244,42 @@ vsf_filename_passes_filter(const struct
   struct mystr temp_str = INIT_MYSTR;
   struct mystr brace_list_str = INIT_MYSTR;
   struct mystr new_filter_str = INIT_MYSTR;
+  struct mystr normalize_filename_str = INIT_MYSTR;
+  const char *normname;
+  const char *path;
   int ret = 0;
   char last_token = 0;
   int must_match_at_current_pos = 1;
+
   str_copy(&filter_remain_str, p_filter_str);
-  str_copy(&name_remain_str, p_filename_str);
+
+  /* normalize filepath */
+  path = str_strdup(p_filename_str);
+  normname = realpath(path, NULL);
+  if (normname == NULL)
+     goto out;
+  str_alloc_text(&normalize_filename_str, normname);
+
+  if (!str_isempty (&filter_remain_str) && !str_isempty(&normalize_filename_str)) {
+    if (str_get_char_at(p_filter_str, 0) == '/') {
+      if (str_get_char_at(&normalize_filename_str, 0) != '/') {
+        str_getcwd (&name_remain_str);
+
+        if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */
+          str_append_char (&name_remain_str, '/');
+
+        str_append_str (&name_remain_str, &normalize_filename_str);
+      }
+      else
+       str_copy (&name_remain_str, &normalize_filename_str);
+    } else {
+      if (str_get_char_at(p_filter_str, 0) != '{')
+        str_basename (&name_remain_str, &normalize_filename_str);
+      else
+        str_copy (&name_remain_str, &normalize_filename_str);
+    }
+  } else
+    str_copy(&name_remain_str, &normalize_filename_str);
 
   while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX)
   {
@@ -360,6 +392,9 @@ vsf_filename_passes_filter(const struct
     ret = 0;
   }
 out:
+  free(normname);
+  free(path);
+  str_free(&normalize_filename_str);
   str_free(&filter_remain_str);
   str_free(&name_remain_str);
   str_free(&temp_str);
Index: vsftpd-3.0.2/str.c
===================================================================
--- vsftpd-3.0.2.orig/str.c
+++ vsftpd-3.0.2/str.c
@@ -770,3 +770,14 @@ str_replace_unprintable(struct mystr* p_
   }
 }
 
+void
+str_basename (struct mystr* d_str, const struct mystr* path)
+{
+  static struct mystr tmp;
+
+  str_copy (&tmp, path);
+  str_split_char_reverse(&tmp, d_str, '/');
+
+  if (str_isempty(d_str))
+   str_copy (d_str, path);
+}
Index: vsftpd-3.0.2/str.h
===================================================================
--- vsftpd-3.0.2.orig/str.h
+++ vsftpd-3.0.2/str.h
@@ -101,6 +101,7 @@ void str_replace_unprintable(struct myst
 int str_atoi(const struct mystr* p_str);
 filesize_t str_a_to_filesize_t(const struct mystr* p_str);
 unsigned int str_octal_to_uint(const struct mystr* p_str);
+void str_basename (struct mystr* d_str, const struct mystr* path);
 
 /* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string
  * buffer, starting at character position 'p_pos'. The extracted line will