[Buildroot] [PATCH 1/2] package/pure-ftpd: fix CVE-2019-20176

[Buildroot] [PATCH 1/2] package/pure-ftpd: fix CVE-2019-20176

[Fabrice Fontaine]

In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the
listdir function in ls.c.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 ...-to-store-every-file-name-to-display.patch | 70 +++++++++++++++++++
 package/pure-ftpd/pure-ftpd.mk                |  3 +
 2 files changed, 73 insertions(+)
 create mode 100644 package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch

diff --git a/package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch b/package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
new file mode 100644
index 0000000000..2f791d1d6e
--- /dev/null
+++ b/package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
@@ -0,0 +1,70 @@
+From aea56f4bcb9948d456f3fae4d044fd3fa2e19706 Mon Sep 17 00:00:00 2001
+From: Frank Denis <github@pureftpd.org>
+Date: Mon, 30 Dec 2019 17:40:04 +0100
+Subject: [PATCH] listdir(): reuse a single buffer to store every file name to
+ display
+
+Allocating a new buffer for each entry is useless.
+
+And as these buffers are allocated on the stack, on systems with a
+small stack size, with many entries, the limit can easily be reached,
+causing a stack exhaustion and aborting the user session.
+
+Reported by Antonio Morales from the GitHub Security Lab team, thanks!
+[Retrieved from:
+https://github.com/jedisct1/pure-ftpd/commit/aea56f4bcb9948d456f3fae4d044fd3fa2e19706]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/ls.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/src/ls.c b/src/ls.c
+index cf804c7..f8a588f 100644
+--- a/src/ls.c
++++ b/src/ls.c
+@@ -661,6 +661,8 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
+     char *names;
+     PureFileInfo *s;
+     PureFileInfo *r;
++    char *alloca_subdir;
++    size_t sizeof_subdir;
+     int d;
+ 
+     if (depth >= max_ls_depth || matches >= max_ls_files) {
+@@ -690,14 +692,12 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
+     }
+     outputfiles(f, tls_fd);
+     r = dir;
++    sizeof_subdir = PATH_MAX + 1U;
++    if ((alloca_subdir = ALLOCA(sizeof_subdir)) == NULL) {
++        goto toomany;
++    }
+     while (opt_R && r != s) {
+         if (r->name_offset != (size_t) -1 && !chdir(FI_NAME(r))) {
+-            char *alloca_subdir;
+-            const size_t sizeof_subdir = PATH_MAX + 1U;
+-
+-            if ((alloca_subdir = ALLOCA(sizeof_subdir)) == NULL) {
+-                goto toomany;
+-            }
+             if (SNCHECK(snprintf(alloca_subdir, sizeof_subdir, "%s/%s",
+                                  name, FI_NAME(r)), sizeof_subdir)) {
+                 goto nolist;
+@@ -706,8 +706,8 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
+             wrstr(f, tls_fd, alloca_subdir);
+             wrstr(f, tls_fd, ":\r\n\r\n");
+             listdir(depth + 1U, f, tls_fd, alloca_subdir);
++
+             nolist:
+-            ALLOCA_FREE(alloca_subdir);
+             if (matches >= max_ls_files) {
+                 goto toomany;
+             }
+@@ -720,6 +720,7 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
+         r++;
+     }
+     toomany:
++    ALLOCA_FREE(alloca_subdir);
+     free(names);
+     free(dir);
+     names = NULL;
diff --git a/package/pure-ftpd/pure-ftpd.mk b/package/pure-ftpd/pure-ftpd.mk
index 2d69efe3f9..3af66a066c 100644
--- a/package/pure-ftpd/pure-ftpd.mk
+++ b/package/pure-ftpd/pure-ftpd.mk
@@ -11,6 +11,9 @@ PURE_FTPD_LICENSE = ISC
 PURE_FTPD_LICENSE_FILES = COPYING
 PURE_FTPD_DEPENDENCIES = $(if $(BR2_PACKAGE_LIBICONV),libiconv)
 
+# 0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
+PURE_FTPD_IGNORE_CVES += CVE-2019-20176
+
 PURE_FTPD_CONF_OPTS = \
 	--with-altlog \
 	--with-puredb
-- 
2.25.0

[Buildroot] [PATCH 2/2] package/pure-ftpd: fix CVE-2020-9365

[Fabrice Fontaine]

An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) read
has been detected in the pure_strcmp function in utils.c.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 ...002-pure_strcmp-len-s2-can-be-len-s1.patch | 30 +++++++++++++++++++
 package/pure-ftpd/pure-ftpd.mk                |  3 ++
 2 files changed, 33 insertions(+)
 create mode 100644 package/pure-ftpd/0002-pure_strcmp-len-s2-can-be-len-s1.patch

diff --git a/package/pure-ftpd/0002-pure_strcmp-len-s2-can-be-len-s1.patch b/package/pure-ftpd/0002-pure_strcmp-len-s2-can-be-len-s1.patch
new file mode 100644
index 0000000000..3de3cbd2c8
--- /dev/null
+++ b/package/pure-ftpd/0002-pure_strcmp-len-s2-can-be-len-s1.patch
@@ -0,0 +1,30 @@
+From 36c6d268cb190282a2c17106acfd31863121b58e Mon Sep 17 00:00:00 2001
+From: Frank Denis <github@pureftpd.org>
+Date: Mon, 24 Feb 2020 15:19:43 +0100
+Subject: [PATCH] pure_strcmp(): len(s2) can be > len(s1)
+
+Reported by Antonio Morales from GitHub Security Labs, thanks!
+[Retrieved from:
+https://github.com/jedisct1/pure-ftpd/commit/36c6d268cb190282a2c17106acfd31863121b]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/utils.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/utils.c b/src/utils.c
+index f41492d..a7f0381 100644
+--- a/src/utils.c
++++ b/src/utils.c
+@@ -45,5 +45,11 @@ int pure_memcmp(const void * const b1_, const void * const b2_, size_t len)
+ 
+ int pure_strcmp(const char * const s1, const char * const s2)
+ {
+-    return pure_memcmp(s1, s2, strlen(s1) + 1U);
++    const size_t s1_len = strlen(s1);
++    const size_t s2_len = strlen(s2);
++
++    if (s1_len != s2_len) {
++        return -1;
++    }
++    return pure_memcmp(s1, s2, s1_len);
+ }
diff --git a/package/pure-ftpd/pure-ftpd.mk b/package/pure-ftpd/pure-ftpd.mk
index 3af66a066c..0ef9a35250 100644
--- a/package/pure-ftpd/pure-ftpd.mk
+++ b/package/pure-ftpd/pure-ftpd.mk
@@ -14,6 +14,9 @@ PURE_FTPD_DEPENDENCIES = $(if $(BR2_PACKAGE_LIBICONV),libiconv)
 # 0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
 PURE_FTPD_IGNORE_CVES += CVE-2019-20176
 
+# 0002-pure_strcmp-len-s2-can-be-len-s1.patch
+PURE_FTPD_IGNORE_CVES += CVE-2020-9365
+
 PURE_FTPD_CONF_OPTS = \
 	--with-altlog \
 	--with-puredb
-- 
2.25.0

[Buildroot] [PATCH 1/2] package/pure-ftpd: fix CVE-2019-20176

[Yann E. MORIN]

Fabrice, All,

On 2020-02-29 21:34 +0100, Fabrice Fontaine spake thusly:
> In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the
> listdir function in ls.c.
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Series applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  ...-to-store-every-file-name-to-display.patch | 70 +++++++++++++++++++
>  package/pure-ftpd/pure-ftpd.mk                |  3 +
>  2 files changed, 73 insertions(+)
>  create mode 100644 package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
> 
> diff --git a/package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch b/package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
> new file mode 100644
> index 0000000000..2f791d1d6e
> --- /dev/null
> +++ b/package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
> @@ -0,0 +1,70 @@
> +From aea56f4bcb9948d456f3fae4d044fd3fa2e19706 Mon Sep 17 00:00:00 2001
> +From: Frank Denis <github@pureftpd.org>
> +Date: Mon, 30 Dec 2019 17:40:04 +0100
> +Subject: [PATCH] listdir(): reuse a single buffer to store every file name to
> + display
> +
> +Allocating a new buffer for each entry is useless.
> +
> +And as these buffers are allocated on the stack, on systems with a
> +small stack size, with many entries, the limit can easily be reached,
> +causing a stack exhaustion and aborting the user session.
> +
> +Reported by Antonio Morales from the GitHub Security Lab team, thanks!
> +[Retrieved from:
> +https://github.com/jedisct1/pure-ftpd/commit/aea56f4bcb9948d456f3fae4d044fd3fa2e19706]
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +---
> + src/ls.c | 15 ++++++++-------
> + 1 file changed, 8 insertions(+), 7 deletions(-)
> +
> +diff --git a/src/ls.c b/src/ls.c
> +index cf804c7..f8a588f 100644
> +--- a/src/ls.c
> ++++ b/src/ls.c
> +@@ -661,6 +661,8 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
> +     char *names;
> +     PureFileInfo *s;
> +     PureFileInfo *r;
> ++    char *alloca_subdir;
> ++    size_t sizeof_subdir;
> +     int d;
> + 
> +     if (depth >= max_ls_depth || matches >= max_ls_files) {
> +@@ -690,14 +692,12 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
> +     }
> +     outputfiles(f, tls_fd);
> +     r = dir;
> ++    sizeof_subdir = PATH_MAX + 1U;
> ++    if ((alloca_subdir = ALLOCA(sizeof_subdir)) == NULL) {
> ++        goto toomany;
> ++    }
> +     while (opt_R && r != s) {
> +         if (r->name_offset != (size_t) -1 && !chdir(FI_NAME(r))) {
> +-            char *alloca_subdir;
> +-            const size_t sizeof_subdir = PATH_MAX + 1U;
> +-
> +-            if ((alloca_subdir = ALLOCA(sizeof_subdir)) == NULL) {
> +-                goto toomany;
> +-            }
> +             if (SNCHECK(snprintf(alloca_subdir, sizeof_subdir, "%s/%s",
> +                                  name, FI_NAME(r)), sizeof_subdir)) {
> +                 goto nolist;
> +@@ -706,8 +706,8 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
> +             wrstr(f, tls_fd, alloca_subdir);
> +             wrstr(f, tls_fd, ":\r\n\r\n");
> +             listdir(depth + 1U, f, tls_fd, alloca_subdir);
> ++
> +             nolist:
> +-            ALLOCA_FREE(alloca_subdir);
> +             if (matches >= max_ls_files) {
> +                 goto toomany;
> +             }
> +@@ -720,6 +720,7 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
> +         r++;
> +     }
> +     toomany:
> ++    ALLOCA_FREE(alloca_subdir);
> +     free(names);
> +     free(dir);
> +     names = NULL;
> diff --git a/package/pure-ftpd/pure-ftpd.mk b/package/pure-ftpd/pure-ftpd.mk
> index 2d69efe3f9..3af66a066c 100644
> --- a/package/pure-ftpd/pure-ftpd.mk
> +++ b/package/pure-ftpd/pure-ftpd.mk
> @@ -11,6 +11,9 @@ PURE_FTPD_LICENSE = ISC
>  PURE_FTPD_LICENSE_FILES = COPYING
>  PURE_FTPD_DEPENDENCIES = $(if $(BR2_PACKAGE_LIBICONV),libiconv)
>  
> +# 0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
> +PURE_FTPD_IGNORE_CVES += CVE-2019-20176
> +
>  PURE_FTPD_CONF_OPTS = \
>  	--with-altlog \
>  	--with-puredb
> -- 
> 2.25.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 1/2] package/pure-ftpd: fix CVE-2019-20176

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the
 > listdir function in ls.c.

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2019.02.x and 2019.11.x, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 2/2] package/pure-ftpd: fix CVE-2020-9365

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) read
 > has been detected in the pure_strcmp function in utils.c.

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2019.02.x and 2019.11.x, thanks.

-- 
Bye, Peter Korsgaard